HI Jan!
I had my brother in law to come up yesterday to give
me a hand and we tried some things before you post came
up. I apologize ahead also for the lenghty post, but like
your credo is, information for the masses to share is the
way to go.
When I was giving up, I was at the point where the
Welcome page came up, but it would not let you log on,
instead it would immediatly log you off. That was no
good, since I couldn't do anything. I took Rick's
suggestion and checked out the sites he posted and though
I found some interesting info, I didn't delve too deep in
the registry because I wasn't comfortable with it.
It was suggested in one of those sites to boot from
the OS CD and go into the recovery mode to do some
tinkering in there but I ran into a wall there until I
realized I did a newbie move and hadn't put the CD as the
#1 boot sequence, which finally worked once I rectified
that embarassement.
Bro in law did some tinkering in there, explaining
as he worked away, but some of it was over my head, so I
can't really share what I didn't understand. We weren't
making headway in there, so it was decided that we would
re-install Windows (but not play with the data). That
worked VERY well, but I had a problem with MY documents
(kids worked fine) because I had password protected my
account. When I try to open MY documents, it says I can't
access it. So now, to finally finish what I started (and
some other problems that fell into my lap)the only thing
left is to find out how to crack into that My document,
the original one before I reinstalled Windows.
I apologize, after all the research you probably did,
that I had gone another route. I hope you, or anybody
else, can help me figure out this last problem.
Thanks a million!
Pussn
-----Original Message-----
Hi Pussn
I should have also mentioned in my first post that I have
absolutely no access to any of the four accounts on the
pc. As soon as I try one, it says 'loading personal
settings', then promptly shuts down, logging off etc. So
there is NO way I can install a program on that pc. I've
tried safe mode, and I'm still getting the same results.
This suuucks.
Okie Doke! Here are a couple of AV's you can use and run from DOS,
and hopefully, they may kill enough of the junkware to allow you
access the Windows Explorer and run the other cleaning programs.
F-Prot - Home Use - Free
http://www.f-prot.com/products/home_use/win/
Here is how to create the 3.5 floppy disks to run it from.
http://crowleys.crsc.k12.ar.us/documents/fprot.htm
Follow all the instructions carefully. Prepare the floppy's from
the other mahcine to run on yours.
and ......
AVG6 Free:
http://www.grisoft.com/us/us_dwnl_free.php
Copy AVG files to the hard drive and then follow the steps here:
Start the computer in MS-DOS mode (hold down F8 key while computer is
booting up, then from Windows start-up menu
select "start in MS-DOS mode" or
"Command prompt only").
Switch to AVG Anti-Virus destination folder using these steps
(assuming this is the path AVG is installed to) C:\Program
Files\Grisoft\AVG6 as destination folder):
Start AVG for MS-DOS application: avg
In this DOS application, every feature could be selected by pressing
the key with other color (or the key in combination with ALT key).
So it is necessary to choose the Test menu, Complete test item, and
start the test. Select "Heal virus"
In case of infectiuon of some system files should be necessary to
reinstall operating system, to restore the files from backup or to
extract the files from installation *.cab archives .
Or...install the AVG on the other machine and then burn the folder
to the CD. Try to copy the folder to the hard drive of your machine
and run from there, but, it not, then try to run it from the CD,
using the path to the CD as the location. Don't know about that for
sure, but.....you can try.
Please post back with the results and any error messages you may get.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
-----Original Message-----
Hi Pussn
Don't give up so easy! So.....let's work together a bit here and
try to take back your PC.
)
(NOTE: If you can not download these programs from the Internet, if
your PC has CD read capabilities, go to another computer with CD-
ROM burning capabilities. Create a folder on the hard drive of the
other computer called HOLD, download the programs to that folder,
then burn that folder to a CD. Copy the HOLD folder to your HD and
then install the programs from there and run them. After you have
IE access again, update all programs where possible to get the
latest definitions and run them again to be sure there are no
lingering items on the system.) Hopefully, you know someone with
a PC you can use that has CD burner capability, or go to a public
library.
Understand that reinstalling IE or your OS at this point will not
resolve the problem, and may even make it worse, so please, DO NOT
try to reinstall anything until you have cleaned your system. Do
the following, and the parts you can't do from your PC, do from
another, but, do them. We can't do the work there for you there,
so, this is your end of the partnership. <g> However, if at any
time you have a question or problem, post back here and we'll help
you work through it. OK?
)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please follow all instructions carefully:
Courtesy of Jim Byrd:
Sounds like this might be a variant of some malware called
CoolWebSearch (if CWShredder doesn't fix it, then see AdAware,
SpyBot, and HijackThis, below, in that order). Do the following:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below,
download both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:
http://www.tacktech.com/display.cfm? ttid=257
The process of removing certain malware may kill your internet
connection. If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you to regain your connection.
NOTE: It is reported that in XP SP2, the command netsh winsock
reset will fix this problem without the need for these programs.
#########IMPORTANT#########
#########IMPORTANT#########
All of the following removal tools should be run from Safe mode
when possible.Reboot and test if the malware is fixed after using
each tool. #########IMPORTANT#########
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-
avert/stinger.exe or from the link
on this page:
http://vil.nai.com/vil/stinger/
Download sysclean.com, from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest
pattern file, here:
http://www.trendmicro.com/download/pattern.asp (You
might also
want to get Art's updater, SYS-UP.Zip, here for future updating of
these:
http://home.epix.net/~artnpeg/). Place them in a dedicated
folder after appropriate unzipping, and then run.
(If you download
and use the updater from the beginning, it will automatically
handle downloading the other files.)
Sometimes the tools below will find files which they are unable to
delete because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the
process of "replacing, moving, renaming or deleting one or many
files which are currently in use (e.g. system files like
comctl32.dll, or virus/trojan files.)"
Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe or here:
http://hem.bredband.net/b157129/f/cwshredder.zip or here:
http://www.softpedia.com/public/scripts/downloadhero/10-
17-150/ or
here:
http://www.zerosrealm.com/downloads/CWShredder.zip
to remove the parasite. Be sure to close all instances of IE and
OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?
showtutorial=47#domain
BE SURE that you get v.1.59.0.1 or later!
You will need to show Hidden files first and then at the end clear
the malware garbage from your System Restore backups after you've
cleaned up. It's best to perform CWShredder (and most other malware
fixers too) from Safe mode and then reboot. AFTER cleaning things
up, then you can disable and then re-enable System Restore. See
******** below.
The following links give instructions on how to do these various
functions:
HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001052409420406
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2002092715262339
HOW TO Disable/Flush System Restore (do this at the end AFTER
cleaning or use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001111912274039 (WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001012513122239 (WinME)
Then download and run:
http://www.kellys-korner-
xp.com/regs_edits/iegentabs.reg to restore
your tabs and remove any restrictions that the parasite has put in
place.
Now download and run:
http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably
will have been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
However, this also indicates that you may have acquired some other
malware along the way. If you go to this page at Jim Eshelman's
site, here:
http://aumha.org/a/noads.htm and wait a little bit (be
patient), an analysis of a number of possible parasites on your
machine will be made to help you identify and remove them. NOTE:
You will need to disable Ad Blocking in Zone Alarm 3.x or later, if
present or any other Ad Blocking software which interferes with
Java Scripting for this scan to work. You should get a message
between the two lines of **** giving the results of the scan.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/.
UPDATE, set it up in
accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of
most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this
cycle until you get a clean scan. The reason is that it may have
to remove things which are currently "in use" before it can then
clean up others. Configure Ad-aware for a customized scan, and
let it remove any bad files found.....
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad- aware then click
the gear wheel at the top and check these options to configure Ad-
aware for a customized scan:
General> activate these: "Automatically save log- file" and
"Automatically quarantine objects prior to removal"
Scanning > activate these: "Scan within
archives", "Scan active
processes", "Scan registry", "Deep scan
registry," "Scan my IE
Favorites for banned sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized
processes during scanning."
Tweaks > Cleaning Engine: activate
these: "Automatically try to
unregister objects prior to deletion" and "Let Windows remove files
in use after reboot."
Click "Proceed" to save your settings, then
click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system.
When the scan is finished, the screen will tell you if anything has
been found, click "Next." The bad files will be listed. Right click
the pane and click "Select all objects" - This will put a check
mark in the box at the side, click "Next" again and
click "OK" at the
prompt "# objects will be removed. Continue?"
<End Setup Directions>
Courtesy of
http://www.nondisputandum.com/html/anti_spyware.html:
HINT: If
Ad Aware is automatically shut-down by a malicious software, first
run AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe,
before
opening Ad Aware. When AAWCloak is open,
click "Activate Cloak".
Than open Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and
Destroy available here:
http://security.kolla.de/ SpyBot Support
Forum here:
http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing ONLY RED things
with SpyBot S&D, be sure to re-boot and rerun SpyBot again and
repeat this cycle until you get a clean "no red" scan. The reason
is that SpyBot sometimes has to remove things which are currently
"in use" before it can then clean up others.
Note that sometimes you need to make a judgement call about what
these programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after
doing any other fix such as CWShredder and, as a minimum, normally
at least once a week.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download
a new fresh copy of HijackThis [and CWShredder also] -
It's UPDATED
frequently.) You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here:
http://www.bleepingcomputer.com/files/spyware/hijackthis.z
ip
In Windows Explorer, click on Tools|Folder Options|View and check
"Show hidden files and folders" and uncheck "Hide protected
operating system files". (You may want to restore these when
you're all finished with HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated
folder at the root level such as C:\HijackThis (NOT in a Temp
folder or on your Desktop), reboot to Safe mode, start HT (have
ONLY HT running - IE MUST be closed) then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now
click the Config button, then Misc Tools and click on Generate
StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Net-Integration here:
http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here:
http://forum.aumha.org/
or Bleepingcomputer here:
http://www.bleepingcomputer.com/
or Computer Cops here:
http://www.computercops.biz/forums.html
Register if necessary, then sign in and READ THE DIRECTIONS at the
beginning of the particular site's HiJackThis forum, then copy and
paste both files into a message asking for assistance, Someone will
answer with detailed instructions for the removal of your
parasite(s). Be sure you include at the beginning of your post a
description of "What specific problem(s)/symptoms you're trying to
solve" and "What steps you've already taken."
*******
ONLY IF you've successfully eliminated the malware, you can now
make a new, clean Restore Point and delete any previously saved
(possibly infected) ones. The following suggested approach is
courtesy of Gary Woodruff: For XP you can run a Disk Cleanup
cycle and then look in the More Options tab. The System Restore
option removes all but the latest Restore Point. If there hasn't
been one made since the system was cleaned you should manually
create one before dumping the old possibly infected ones. *******
Once you get this cleaned up, you might want to consider installing
Eric Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help
prevent this kind of thing from happening in the future:
IESpyads -
https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-
SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of
Internet Explorer. Once you merge this list of sites and domains
into the Registry, the web sites for these companies will not be
able to use cookies, ActiveX controls, Java applets, or scripting
to compromise your privacy or your PC while you surf the Net. Nor
will they be able to use your browser to push unwanted pop- ups,
cookies, or auto-installing programs on your PC." Read carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents
malware Active X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or memory load - but keep it UPDATED) The
latest version as of this writing will prevent installation or
prevent the malware from running if it is already installed, and
it provides information and fixit-links for a variety of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for
attempts to install malware) Keep it UPDATED. All three Very
Highly Recommended
Finally, go to Windows Update and ensure that ALL Critical updates
are installed.
If these steps do not resolve your problem, please post back to
this thread with the details and any error messages.
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
-----Original Message-----
Hi again
I'm still having a problem with IE6! OS is XP with
SP2 (I'm assuming, I see windows SR 2.0 in my programs
list), and I think I've been attacked by a virus or
whatever is out there that's taken out my browser. It
comes up but doesn't connect to the internet. I've gone
to Microsoft to download it again, but it still doesn't
work!
I've gone back to several posts screaming for help
but the responses are a little confusing to this still
newbie. Registry? Backing it up? How does one do that?
How does one check it for viruses? I think what I need
here is someone to lead me by the hand, I'm that nervous
about digging around that deep inside the pc. Or would it
better for me just to scrub everything clean (format) and
start fresh?
So, is there anyone out there willing to give this
ole gal a helping hand? Please? I'll bake you a
pie ;O)
Regards and thanks in advance, Pussn
PS-Not much meat to the info, I know, so please, go ahead
and ask! I just don't know what else to add. Thanks
.
Never mind....whatever it was that took out my browser
has now locked me out completly from the pc, can't even
get into my own account. Nothing. Stoopit hackers. I hate
em all!
.
.
