W
Wayne Wastier
Have you tried: http://www.noadware.net/?hop=teksol
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
J
Jim Byrd
Hi Wayne - Take a look here: http://forum.aumha.org/viewtopic.php?t=10920
Note the corruption of the Recycle Bin as a side effect of this malware.
That topic has been selected to remain on the forum for a bit, so feel free
to refer to it - It's currently the best protocol that we know. However, be
aware that there are at least 23 known variants of this one so far! You'll
likely need some help if the AdAware VX2 plug-in doesn't fix this variant
(see the HiJackThis section, below, but run the other stuff first in order):
Read all of the following carefully first, then do the following in order:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command netsh winsock reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:
netsh int reset all
ipconfig /flushdns
See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k(if w/msconfig)/XP procedure, but see below for
links for other OS's:
1. Start|Run enter msconfig.
2. On the General tab, click Selective Startup, and then clear the Process
System.ini File, Process Win.ini File, and Load Startup Items check boxes.
Leave the boot.ini boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure to read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here: http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
in Safe mode and clean or delete anything it finds. Reboot to normal mode
and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above.
Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cwshredder_download.html (The new v.2+
which will automatically install in C:\Program
Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the
Desktop. Run the program from this install location or the shortcut after
installation. This recommendation for CWShredder is NOT automatically a
recommendation for the other programs adverstised by Intermute in
conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or here:
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/ (v.2+) to
remove the parasite. Try to run from Safe mode or a Clean Boot and be sure
to close ALL other programs to the extent possible, expecially ALL
instances of IE and OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain See
also: http://cwshredder.net/cwshredder/cwschronicles.html
BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that
CWShredder may make deletions/changes to your HOSTS file (sometimes as false
positives), and that after cleanup you may need to restore it with a fresh
copy of any local DNS and/or blocking entries or disable it before running
CWShredder.
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various functions:
HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
(WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
(WinME)
or http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (Both)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
Lastly, there are extensive, detailed instructions for manual removal of CWS
variants here: http://www.pestpatrol.com/PestInfo/c/cws.asp You may want
to check these to be sure everything's been cleaned up.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x or later, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of most
"spyware/hijackware" on your machine. If it has to fix things, be sure to
re-boot and rerun AdAware again and repeat this cycle until you get a clean
scan. The reason is that it may have to remove things which are currently
"in use" before it can then clean up others. Configure Ad-aware for a
customized scan, and let it remove any bad files found..... Also download
the VX2 plug-in from that same Lavasoftusa site and after running the
AdAware scan, run this plug-in.
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click “Activate Cloak”. Then open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial
here: http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others. Note that
sometimes you need to make a judgement call about what these programs report
as spyware. See here, for example: http://www.imilly.com/alexa.htm
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
When done, go to Start|Run and enter one line at a time (or much easier,
open a DOS box and copy the following in its entirety and then paste it into
the box):
regsvr32 hlink.dll
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.
Re-start your computer when you've finished.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here: http://www.bleepingcomputer.com/files/spyware/hijackthis.zip
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT (have ONLY HT running - IE MUST be
closed) then press Scan. Click on SaveLog when it's finished which will
create hijackthis.log. Now click the Config button, then Misc Tools and
click on Generate StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing Eric
Howes' IE-SpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here: http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here: http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus installed, and bring your OS up-to-date with ALL Critical updates
from Windows Update.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
Note the corruption of the Recycle Bin as a side effect of this malware.
That topic has been selected to remain on the forum for a bit, so feel free
to refer to it - It's currently the best protocol that we know. However, be
aware that there are at least 23 known variants of this one so far! You'll
likely need some help if the AdAware VX2 plug-in doesn't fix this variant
(see the HiJackThis section, below, but run the other stuff first in order):
Read all of the following carefully first, then do the following in order:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command netsh winsock reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:
netsh int reset all
ipconfig /flushdns
See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k(if w/msconfig)/XP procedure, but see below for
links for other OS's:
1. Start|Run enter msconfig.
2. On the General tab, click Selective Startup, and then clear the Process
System.ini File, Process Win.ini File, and Load Startup Items check boxes.
Leave the boot.ini boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure to read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here: http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
in Safe mode and clean or delete anything it finds. Reboot to normal mode
and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above.
Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cwshredder_download.html (The new v.2+
which will automatically install in C:\Program
Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the
Desktop. Run the program from this install location or the shortcut after
installation. This recommendation for CWShredder is NOT automatically a
recommendation for the other programs adverstised by Intermute in
conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or here:
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/ (v.2+) to
remove the parasite. Try to run from Safe mode or a Clean Boot and be sure
to close ALL other programs to the extent possible, expecially ALL
instances of IE and OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain See
also: http://cwshredder.net/cwshredder/cwschronicles.html
BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that
CWShredder may make deletions/changes to your HOSTS file (sometimes as false
positives), and that after cleanup you may need to restore it with a fresh
copy of any local DNS and/or blocking entries or disable it before running
CWShredder.
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various functions:
HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
(WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
(WinME)
or http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (Both)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
Lastly, there are extensive, detailed instructions for manual removal of CWS
variants here: http://www.pestpatrol.com/PestInfo/c/cws.asp You may want
to check these to be sure everything's been cleaned up.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x or later, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of most
"spyware/hijackware" on your machine. If it has to fix things, be sure to
re-boot and rerun AdAware again and repeat this cycle until you get a clean
scan. The reason is that it may have to remove things which are currently
"in use" before it can then clean up others. Configure Ad-aware for a
customized scan, and let it remove any bad files found..... Also download
the VX2 plug-in from that same Lavasoftusa site and after running the
AdAware scan, run this plug-in.
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click “Activate Cloak”. Then open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial
here: http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others. Note that
sometimes you need to make a judgement call about what these programs report
as spyware. See here, for example: http://www.imilly.com/alexa.htm
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
When done, go to Start|Run and enter one line at a time (or much easier,
open a DOS box and copy the following in its entirety and then paste it into
the box):
regsvr32 hlink.dll
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.
Re-start your computer when you've finished.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here: http://www.bleepingcomputer.com/files/spyware/hijackthis.zip
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT (have ONLY HT running - IE MUST be
closed) then press Scan. Click on SaveLog when it's finished which will
create hijackthis.log. Now click the Config button, then Misc Tools and
click on Generate StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing Eric
Howes' IE-SpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here: http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here: http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus installed, and bring your OS up-to-date with ALL Critical updates
from Windows Update.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
W
Wayne Wastier
-snipped for bandwidth preservation-Jim said:Hi Wayne - Take a look here:
http://forum.aumha.org/viewtopic.php?t=10920
Thank you Jim. Wow, you have done your homework.
thanks again,
Wayne
P
privatenes.microsoft.com
Isn't it just easier to reformat and reinstall? I wouldn't go through all
this.
this.
Jim Byrd said:Hi Wayne - Take a look here:
http://forum.aumha.org/viewtopic.php?t=10920
Note the corruption of the Recycle Bin as a side effect of this malware.
That topic has been selected to remain on the forum for a bit, so feel
free
to refer to it - It's currently the best protocol that we know. However,
be
aware that there are at least 23 known variants of this one so far!
You'll
likely need some help if the AdAware VX2 plug-in doesn't fix this variant
(see the HiJackThis section, below, but run the other stuff first in
order):
Read all of the following carefully first, then do the following in order:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable
you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command netsh winsock
reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet
unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:
netsh int reset all
ipconfig /flushdns
See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe
mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k(if w/msconfig)/XP procedure, but see below for
links for other OS's:
1. Start|Run enter msconfig.
2. On the General tab, click Selective Startup, and then clear the
Process
System.ini File, Process Win.ini File, and Load Startup Items check boxes.
Leave the boot.ini boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the
link
on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure to
read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here: http://www.trendmicro.com/download/pattern.asp Be sure to
read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also
want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater
from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
in Safe mode and clean or delete anything it finds. Reboot to normal mode
and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and
thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above.
Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cwshredder_download.html (The new
v.2+
which will automatically install in C:\Program
Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the
Desktop. Run the program from this install location or the shortcut after
installation. This recommendation for CWShredder is NOT automatically a
recommendation for the other programs adverstised by Intermute in
conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or here:
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/ (v.2+) to
remove the parasite. Try to run from Safe mode or a Clean Boot and be
sure
to close ALL other programs to the extent possible, expecially ALL
instances of IE and OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain
See
also: http://cwshredder.net/cwshredder/cwschronicles.html
BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that
CWShredder may make deletions/changes to your HOSTS file (sometimes as
false
positives), and that after cleanup you may need to restore it with a fresh
copy of any local DNS and/or blocking entries or disable it before running
CWShredder.
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various
functions:
HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
(WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
(WinME)
or http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (Both)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
Lastly, there are extensive, detailed instructions for manual removal of
CWS
variants here: http://www.pestpatrol.com/PestInfo/c/cws.asp You may want
to check these to be sure everything's been cleaned up.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an
analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone
Alarm 3.x or later, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of most
"spyware/hijackware" on your machine. If it has to fix things, be sure
to
re-boot and rerun AdAware again and repeat this cycle until you get a
clean
scan. The reason is that it may have to remove things which are currently
"in use" before it can then clean up others. Configure Ad-aware for a
customized scan, and let it remove any bad files found..... Also
download
the VX2 plug-in from that same Lavasoftusa site and after running the
AdAware scan, run this plug-in.
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the
gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active
processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes
during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found,
click
"Next." The bad files will be listed. Right click the pane and click
"Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT:
If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click “Activate Cloak”. Then open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial
here: http://www.safer-networking.org/en/index.html I recommend using
both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others. Note
that
sometimes you need to make a judgement call about what these programs
report
as spyware. See here, for example: http://www.imilly.com/alexa.htm
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
When done, go to Start|Run and enter one line at a time (or much easier,
open a DOS box and copy the following in its entirety and then paste it
into
the box):
regsvr32 hlink.dll
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.
Re-start your computer when you've finished.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here: http://www.bleepingcomputer.com/files/spyware/hijackthis.zip
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT (have ONLY HT running - IE MUST be
closed) then press Scan. Click on SaveLog when it's finished which will
create hijackthis.log. Now click the Config button, then Misc Tools and
click on Generate StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
Register if necessary, then sign in and READ THE DIRECTIONS at the
beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a
new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For
XP
you can run a Disk Cleanup cycle and then look in the More Options tab.
The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually
create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing Eric
Howes' IE-SpyAds, SpywareBlaster and SpywareGuard here to help prevent
this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD
adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware
Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or
memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts
to
install malware) Keep it UPDATED. All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D
and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source
of
preventive blocking for ActiveX components is the Blocking List available
here: http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a
supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here: http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus installed, and bring your OS up-to-date with ALL Critical
updates
from Windows Update.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
InWayne Wastier said:Have you tried: http://www.noadware.net/?hop=teksol
J
Jim Byrd
Hi chippe01 - Well, it's rapidly getting to the point where that's a viable
alternative for some of these parasites. However, in many cases, it's not a
very inviting option, depending on the particular person/organization's
circumstances.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
alternative for some of these parasites. However, in many cases, it's not a
very inviting option, depending on the particular person/organization's
circumstances.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
privatenes.microsoft.com said:Isn't it just easier to reformat and reinstall? I wouldn't go
through all this.
Jim Byrd said:Hi Wayne - Take a look here:
http://forum.aumha.org/viewtopic.php?t=10920
Note the corruption of the Recycle Bin as a side effect of this
malware.
That topic has been selected to remain on the forum for a bit, so
feel free
to refer to it - It's currently the best protocol that we know.
However, be
aware that there are at least 23 known variants of this one so far!
You'll
likely need some help if the AdAware VX2 plug-in doesn't fix this
variant (see the HiJackThis section, below, but run the other stuff
first in order):
Read all of the following carefully first, then do the following in
order:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below,
download both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet
connection. If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command netsh
winsock reset
will fix this problem without the need for these programs. (You can
also try this if you're on XP SP1. There has also been one, as yet
unconfirmed,
report that this also works there.) Also, one MS technician
suggested the following sequence:
netsh int reset all
ipconfig /flushdns
See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from
Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is
fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k(if w/msconfig)/XP procedure, but see
below for links for other OS's:
1. Start|Run enter msconfig.
2. On the General tab, click Selective Startup, and then clear the
Process
System.ini File, Process Win.ini File, and Load Startup Items check
boxes. Leave the boot.ini boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services"
checkbox, and then click the "Disable All" button.
4. Click OK and then reboot.
For additional information about how to clean boot your operating
system, click the following article numbers to view the articles in
the Microsoft Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to
delete because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the
process of "replacing, moving, renaming or deleting one or many
files which are currently in use (e.g. system files like
comctl32.dll, or virus/trojan files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid
File, here: http://www.purgeie.com/delinv.htm which handles
invalid/UNC file/folder name deleting, rather than the in use problem
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from
the link
on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure
to read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest
pattern file, here: http://www.trendmicro.com/download/pattern.asp
Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might
also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the
updater from
the beginning, it will automatically handle downloading the other
files.) Place them in a dedicated folder after appropriate
unzipping. Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then
boot to Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your
system in Safe mode and clean or delete anything it finds. Reboot
to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and
thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with
Show Hidden Files enabled as above.
Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cwshredder_download.html (The
new v.2+
which will automatically install in C:\Program
Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the
Desktop. Run the program from this install location or the shortcut
after installation. This recommendation for CWShredder is NOT
automatically a recommendation for the other programs adverstised by
Intermute in conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or
here:
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/
(v.2+) to remove the parasite. Try to run from Safe mode or a
Clean Boot and be sure
to close ALL other programs to the extent possible, expecially ALL
instances of IE and OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain
See
also: http://cwshredder.net/cwshredder/cwschronicles.html
BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that
CWShredder may make deletions/changes to your HOSTS file (sometimes
as false
positives), and that after cleanup you may need to restore it with a
fresh copy of any local DNS and/or blocking entries or disable it
before running CWShredder.
You will need to show Hidden files first and then at the end clear
the malware garbage from your System Restore backups after you've
cleaned up. It's best to perform CWShredder (and most other malware
fixers too) from Safe mode and then reboot. AFTER cleaning things
up, then you can disable and then re-enable System Restore. See
******** below.
The following links give instructions on how to do these various
functions:
HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
HOW TO Disable/Flush System Restore (do this at the end AFTER
cleaning or use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
(WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
(WinME)
or http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (Both)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore
your tabs and remove any restrictions that the parasite has put in
place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to
restore your search functions if they've been affected (as they
probably will have been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
Lastly, there are extensive, detailed instructions for manual
removal of CWS
variants here: http://www.pestpatrol.com/PestInfo/c/cws.asp You
may want to check these to be sure everything's been cleaned up.
However, this also indicates that you may have acquired some other
malware along the way. If you go to this page at Jim Eshelman's
site, here: http://aumha.org/a/noads.htm and wait a little bit (be
patient), an analysis
of a number of possible parasites on your machine will be made to
help you identify and remove them. NOTE: You will need to disable Ad
Blocking in Zone
Alarm 3.x or later, if present or any other Ad Blocking software
which interferes with Java Scripting for this scan to work. You
should get a message between the two lines of **** giving the
results of the scan.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877
or the directions immediately below and run this regularly to get
rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to
re-boot and rerun AdAware again and repeat this cycle until you get a
clean
scan. The reason is that it may have to remove things which are
currently "in use" before it can then clean up others. Configure
Ad-aware for a customized scan, and let it remove any bad files
found..... Also download
the VX2 plug-in from that same Lavasoftusa site and after running the
AdAware scan, run this plug-in.
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click
the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and
"Automatically quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active
processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for
banned sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes
during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to
unregister objects prior to deletion" and "Let Windows remove files
in use after reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system.
When the scan is finished, the screen will tell you if anything has
been found, click
"Next." The bad files will be listed. Right click the pane and click
"Select
all objects" - This will put a check mark in the box at the side,
click "Next" again and click "OK" at the prompt "# objects will be
removed. Continue?"
<End Setup Directions>
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html:
HINT: If
Ad Aware is automatically shut-down by a malicious software, first
run AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe,
before opening Ad Aware. When AAWCloak is open, click “Activate
Cloak”. Then open Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and
Destroy available here: http://security.kolla.de/ SpyBot Support
Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi.
Tutorial here: http://www.safer-networking.org/en/index.html I
recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to
remove things which are currently "in use" before it can then clean
up others. Note that
sometimes you need to make a judgement call about what these programs
report
as spyware. See here, for example: http://www.imilly.com/alexa.htm
Note that sometimes you need to make a judgement call about what
these programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after
doing any other fix such as CWShredder and, as a minimum, normally
at least once a week.
When done, go to Start|Run and enter one line at a time (or much
easier, open a DOS box and copy the following in its entirety and
then paste it into
the box):
regsvr32 hlink.dll
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter
the next (with the DOS box they'll be continuous except for the last
one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only
the ME, Win2k and XP versions of windows have shell32 as an object
that needs registering. (For these earlier operating systems, run
"regsvr32 shdoc401.dll " instead of "regsvr32 Shell32.dll".)
Depending on your system, you may also get "not found" error
messages on some or all of the last five - if so, ignore them.
Re-start your computer when you've finished.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download
a new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.) You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here:
http://www.bleepingcomputer.com/files/spyware/hijackthis.zip
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check
"Show hidden files and folders" and uncheck "Hide protected
operating system files". (You may want to restore these when you're
all finished with HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated
folder at the root level such as C:\HijackThis (NOT in a Temp folder
or on your Desktop), reboot to Safe mode, start HT (have ONLY HT
running - IE MUST be closed) then press Scan. Click on SaveLog when
it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
Register if necessary, then sign in and READ THE DIRECTIONS at the
beginning
of the particular site's HiJackThis forum, then copy and paste both
files into a message asking for assistance, Someone will answer with
detailed instructions for the removal of your parasite(s). Be sure
you include at the beginning of your post a description of "What
specific problem(s)/symptoms you're trying to solve" and "What steps
you've already taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make
a new,
clean Restore Point and delete any previously saved (possibly
infected) ones. The following suggested approach is courtesy of Gary
Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options
tab. The
System Restore option removes all but the latest Restore Point. If
there hasn't been one made since the system was cleaned you should
manually create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing
Eric Howes' IE-SpyAds, SpywareBlaster and SpywareGuard here to help
prevent this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm
"IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of
Internet Explorer. Once you merge this list of sites and domains
into the Registry, the web sites for these companies will not be
able to use cookies, ActiveX controls, Java applets, or scripting to
compromise your privacy or your PC while you surf the Net. Nor will
they be able to use your browser to push unwanted pop-ups, cookies,
or auto-installing programs on your PC." Read carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware
Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or
memory
load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it
is already installed, and it provides information and fixit-links
for a variety of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for
attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently
available, expecially if supplemented by using the Immunize function
in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional
source of
preventive blocking for ActiveX components is the Blocking List
available here: http://www.spywareguide.com/blockfile.php While
smaller than the SpywareBlaster list, it contains some different
malware CLSIDs and appears to be updated with new threats more
frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert
package download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify
you of changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you
avoid most adware/malware. See here:
http://www.mvps.org/winhelp2002/hosts.htm (Be sure it's
named/renamed HOSTS - all caps, no extension) Additional tutorials
here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here:
http://www.spywarewarrior.com/viewtopic.php?t=410 (overview)
Finally, be sure that you have a good hardware or software firewall
and an AntiVirus installed, and bring your OS up-to-date with ALL
Critical updates
from Windows Update.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
InWayne Wastier said:Have you tried: http://www.noadware.net/?hop=teksol
J
Jim Byrd
YW, Wayne - Good luck - It is a lot of work to clean this one up.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
D
Danny Kile
In addition to that I had a client/user where I did the reformat andJim said:Hi chippe01 - Well, it's rapidly getting to the point where that's a viable
alternative for some of these parasites. However, in many cases, it's not a
very inviting option, depending on the particular person/organization's
circumstances.
reinstall. A week late she had the PC right back to where it was before
I started. It is better to find a cure then to reformat and reinstall.
However, better than a cure is a tool that will prevent it in the first
place.
B
Bill Sanderson
In addition to that I had a client/user where I did the reformat and
reinstall. A week late she had the PC right back to where it was before I
started. It is better to find a cure then to reformat and reinstall.
However, better than a cure is a tool that will prevent it in the first
place.
Danny--is that client now running Microsoft Antispyware?
There are lots of issues to think about when advising someone whether or not
to run beta software, but this tool seems like what is needed to prevent
infections for someone who has that propensity.
D
Danny Kile
As a matter of fact they are and since it has now been 8 days maybe weBill said:Danny--is that client now running Microsoft Antispyware?
There are lots of issues to think about when advising someone whether or not
to run beta software, but this tool seems like what is needed to prevent
infections for someone who has that propensity.
are safe. However, I also disabled Internet Explorer and Uninstalled
Windows Media Player. Now if they what to get on the net they have to
use FireFox.
B
Bill Sanderson
Glad to hear you are doing what you can to maintain their safety. What
resources do you monitor to know about Firefox bugs and exploits and
patches?
resources do you monitor to know about Firefox bugs and exploits and
patches?
D
Danny Kile
Bill said:Glad to hear you are doing what you can to maintain their safety. What
resources do you monitor to know about Firefox bugs and exploits and
patches?
snews://secnews.netscape.com:563/netscape.mozilla.user.win32
D
Danny Kile
Bill said:Glad to hear you are doing what you can to maintain their safety. What
resources do you monitor to know about Firefox bugs and exploits and
patches?
http://ed.mullen.home.comcast.net/Mozilla/moz_news_ns.html
B
Bill Sanderson
snews://secnews.netscape.com:563/netscape.mozilla.user.win32
Thanks!