Re: very slow WIN XP Pro and other issues

From: imoorthy (imoorthy_at_discussions.microsoft.com)
Date: 12/09/04 

Date: Thu, 9 Dec 2004 05:05:03 -0800

As I have indicated earlier I am not able to access the CW shredder website.
I get the following message:

Quote:
You might not have permission to view this directory or page using the
credentials you supplied.

--------------------------------------------------------------------------------

If you believe you should be able to view this directory or page, please try
to contact the Web site by using any e-mail address or phone number that may
be listed on the www.spywareinfo.com home page.

You can click Search to look for information on the Internet.

HTTP Error 403 - Forbidden
Internet Explorer
unquote

What do I do now?

RIM

"Ross Durie" wrote:

> There is no "automated" anti-spyware removal tool for this type infection.
> There are 2 DLLs involved, the "BHO" DLL which you see in your log and the
> main culprit which is totally hidden. Removing the "BHO" DLL has no effect
> as it (main culprit) will simply generate a new BHO DLL.
>
> Ok, here goes ... this is my "How To:" (Hint: print out the below)
>
> [Tools and files needed]
>
> Download: "RepairAppInit.reg" (XP\2K only!)
> http://www.mvps.org/winhelp2002/RepairAppInit.reg
> Do not do anything with this file yet, it will be needed later.
>
> Download: CWShredder
> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
> Unzip, but do not run it yet, it will be needed later.
>
> Download: Ad-Aware
> http://www.lavasoft.de/software/adaware/
> Install, but do not run it yet, it will be needed later.
>
> Download: Find-All.zip
> http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
> Unzip, but do not run it yet, it will be needed later.
>
> Download: WINFILE.zip
> http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
> Unzip, but do not run it yet, it will be needed later.
>
> Download: Registrar Lite [freeware]
> http://www.resplendence.com/download
> Install, but do not run it yet, it will be needed later.
>
> [Step1]
>
> Double-click the included "Find-All.bat" file from Find-All.zip.
> Generates: "output.txt"
> Note: if infected you will see:
>
> Locked file(s) found...
> C:\WINDOWS\System32\<filename> +++ File read error
> Where "<filename>" is the hidden invisable installer.
> Note: "+++ File read error" is not an error, this just identifies the
> culprit.
>
> [Step2]
>
> Run "Registrar Lite" and navigate to:
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
> Double click on "AppInit_DLLs" entry (right pane)
> The size will likely be something other than "1" (if infected)
> IMPORTANT: Make a note of the filename and location (folder)
>
> [Step3]
>
> Rename the highlighted "Windows" key (left pane)
> To rename: Right-click and select: Rename
> (type) NoWindows
>
>
> Double-click "AppInit_DLLs" again (right pane)
> Clear (delete) the "Value" containing the .dll and click Ok.
>
>
> IMPORTANT: Rename the "NoWindows" key (left pane)
> To rename: Right-click and select: Rename
> (type) "Windows" (no quotes) and close RegLite.
>
> [Step 4]
>
> Using Windows Explorer go to your root drive: (typically) "C:\"
> Click File (up top) select: New > Folder
> (type) "Junk" (no quotes)
>
> Open Winfile
>
> Navigate to System32 folder. N.B. File may have HIDDEN attribute.
> Click File (up top) select: Move
>
> Copy and paste this into the 'From' box: C:\WINDOWS\System32\<filename>.dll
> Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
>
> Note: where "<filename>" = culprit dll from "output.txt"
>
> Click OK. Close Winfile
> Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.
>
> At this point see if you can rename the "<filename>.dll"
> Do this several time, changing the name and extension each time.
> Then see if you can "Move" to "A:\" (floppy)
>
> [Step 5]
>
> Locate: "RepairAppInit.reg" right-click and select: Merge
> Ok the prompt
>
> [Step 6]
>
> Open Regedit (Start | Run (type) "regedit" (no quotes)
> Use the Search function for the <filename>.dll
> Click: Edit (up top) select: Find
> (type) <filename>.dll, click: Find Next
>
> Note: where "<filename>" = culprit dll from "output.txt"
>
> Remove all instances found.Press "F3" to continue searching
> until you see the "Completed" message.
>
> Next repeat the above steps, subsitute the "secondary dll"
> From: "text/html" as seen in the "output.txt"
>
>
> [Step 7]
>
> Run CWShredder and reboot.
>
> [Step 8]
> Run Ad-Aware
>
> Reconfigure Ad-Aware for Full Scan:
> Please update the reference file following the instructions here:
> http://www.lavahelp.com/howto/updref/index.html
>
> Launch the program, and click on the Gear at the top of the start screen.
>
> Click the "Scanning" button.
> Under Drives & Folders, select "Scan within Archives".
> Click "Click here to select Drives + folders" and select your installed hard
> drives.
>
> Under Memory & Registry, select all options.
> Click the "Advanced" button.
> Under "Log-file detail", select all options.
> Click the "Tweaks" button.
>
> Under "Scanning Engine", select the following:
> "Include additional Ad-aware settings in logfile" and
> "Unload recognized processes during scanning."
> Under "Cleaning Engine", select the following:
> "Let Windows remove files in use after reboot."
> Click on 'Proceed' to save these Preferences.
> Please make sure that you activate IN-DEPTH scanning before you proceed.
>
> After the above post a fresh log ...
> --
>
> Disclaimer: Renaming the "Windows" key modified some security settings.
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
>
> Right-click the "Windows" key, select: Permissions
>
> [Example]
> Before renaming the "Windows" key:
>
> "Path"
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
> "Read":
> *"Administrators
> *Power Users
> *Users"
> "Write"
> *"Administrators"
>
> --
> [Example]
>
> After Renaming the key:
>
> "Path"
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
> "Read":
> ***"Everyone"***
> "Write"
> *"Administrators
> --
>
> You need to check that and if 'Everyone' was added (as seen above)
> You need to reset your original settings as follows:
> Note: do this after removing the infection.
>
> Right-click "Windows", select: Permissions
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
>
> Click Advanced [button]
> If the "inherit permissions" box is checked = Uncheck it.
> Then select "COPY" on the prompt.
>
> Select "Everyone Group" (if listed) and remove. (only the group)
> You can individually view/edit each group settings.
> Be sure "Administrators" and "System" have full control on all.
> Note: Creator owner full control on Sub keys only.
> "Power users" and "users" = "read control".
>
> --
> Ross
> "imoorthy" <imoorthy@discussions.microsoft.com> wrote in message
> news:4075A6D6-F292-492A-A665-086D48895B6B@microsoft.com...
> > I have a Dell Inspiron 8200, laptop, 256 MB/30GB as my computer, and of
> > course runs WIN XP PRO. I have the following problems.
> >
> > Extremely slow startup - 5-6 minutes and a slightly faster shutdown. 2-3
> > minutes.
> >
> > Slow response - click on the IE on quickstart it will take 2 minutes for
> > about blank IE to come up.
> >
> > I have triied to use the earlier solutions but with the following results.
> I
> > tried to download cwshredder and other such utilitites but I get the
> message
> > you are not allowed to access the (download) page.
> >
> > I also see that my dialup internet connection gets disconnected
> frequently.
> > I used the Dell modem helper and it says my modem is in use when I am not
> > connected to the net (error code 67 - com port conflict)
> >
> > I have Norton AVS and ZL pro firewall.
> >
> > Please advise on next course of action.
> >
> > thanks in advance to the various wizards out there.
> >
> > RIM
>
>
>