Re: very slow WIN XP Pro and other issues
From: Malke (malke_at_nospoonnotreally.com)
Date: 12/09/04
- Next message: Ken Blake: "Re: reformat"
- Previous message: Ken Blake: "Re: How to delete update residue"
- In reply to: imoorthy: "Re: very slow WIN XP Pro and other issues"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 09 Dec 2004 11:41:30 -0800
imoorthy wrote:
> As I have indicated earlier I am not able to access the CW shredder
> website. I get the following message:
>
> Quote:
> You might not have permission to view this directory or page using the
> credentials you supplied.
>
>
--------------------------------------------------------------------------------
>
> If you believe you should be able to view this directory or page,
> please try to contact the Web site by using any e-mail address or
> phone number that may be listed on the www.spywareinfo.com home page.
>
> You can click Search to look for information on the Internet.
>
> HTTP Error 403 - Forbidden
> Internet Explorer
> unquote
>
> What do I do now?
>
> RIM
>
>
> "Ross Durie" wrote:
>
>> There is no "automated" anti-spyware removal tool for this type
>> infection. There are 2 DLLs involved, the "BHO" DLL which you see in
>> your log and the main culprit which is totally hidden. Removing the
>> "BHO" DLL has no effect as it (main culprit) will simply generate a
>> new BHO DLL.
>>
>> Ok, here goes ... this is my "How To:" (Hint: print out the below)
>>
>> [Tools and files needed]
>>
>> Download: "RepairAppInit.reg" (XP\2K only!)
>> http://www.mvps.org/winhelp2002/RepairAppInit.reg
>> Do not do anything with this file yet, it will be needed later.
>>
>> Download: CWShredder
>> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>> Unzip, but do not run it yet, it will be needed later.
>>
>> Download: Ad-Aware
>> http://www.lavasoft.de/software/adaware/
>> Install, but do not run it yet, it will be needed later.
>>
>> Download: Find-All.zip
>> http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
>> Unzip, but do not run it yet, it will be needed later.
>>
>> Download: WINFILE.zip
>> http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
>> Unzip, but do not run it yet, it will be needed later.
>>
>> Download: Registrar Lite [freeware]
>> http://www.resplendence.com/download
>> Install, but do not run it yet, it will be needed later.
>>
>> [Step1]
>>
>> Double-click the included "Find-All.bat" file from Find-All.zip.
>> Generates: "output.txt"
>> Note: if infected you will see:
>>
>> Locked file(s) found...
>> C:\WINDOWS\System32\<filename> +++ File read error
>> Where "<filename>" is the hidden invisable installer.
>> Note: "+++ File read error" is not an error, this just identifies the
>> culprit.
>>
>> [Step2]
>>
>> Run "Registrar Lite" and navigate to:
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> [NT\CurrentVersion\Windows]
>> Double click on "AppInit_DLLs" entry (right pane)
>> The size will likely be something other than "1" (if infected)
>> IMPORTANT: Make a note of the filename and location (folder)
>>
>> [Step3]
>>
>> Rename the highlighted "Windows" key (left pane)
>> To rename: Right-click and select: Rename
>> (type) NoWindows
>>
>>
>> Double-click "AppInit_DLLs" again (right pane)
>> Clear (delete) the "Value" containing the .dll and click Ok.
>>
>>
>> IMPORTANT: Rename the "NoWindows" key (left pane)
>> To rename: Right-click and select: Rename
>> (type) "Windows" (no quotes) and close RegLite.
>>
>> [Step 4]
>>
>> Using Windows Explorer go to your root drive: (typically) "C:\"
>> Click File (up top) select: New > Folder
>> (type) "Junk" (no quotes)
>>
>> Open Winfile
>>
>> Navigate to System32 folder. N.B. File may have HIDDEN attribute.
>> Click File (up top) select: Move
>>
>> Copy and paste this into the 'From' box:
>> C:\WINDOWS\System32\<filename>.dll Copy and paste this into the 'To'
>> box: C:\Junk\<filename>.dll
>>
>> Note: where "<filename>" = culprit dll from "output.txt"
>>
>> Click OK. Close Winfile
>> Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
>> file.
>>
>> At this point see if you can rename the "<filename>.dll"
>> Do this several time, changing the name and extension each time.
>> Then see if you can "Move" to "A:\" (floppy)
>>
>> [Step 5]
>>
>> Locate: "RepairAppInit.reg" right-click and select: Merge
>> Ok the prompt
>>
>> [Step 6]
>>
>> Open Regedit (Start | Run (type) "regedit" (no quotes)
>> Use the Search function for the <filename>.dll
>> Click: Edit (up top) select: Find
>> (type) <filename>.dll, click: Find Next
>>
>> Note: where "<filename>" = culprit dll from "output.txt"
>>
>> Remove all instances found.Press "F3" to continue searching
>> until you see the "Completed" message.
>>
>> Next repeat the above steps, subsitute the "secondary dll"
>> From: "text/html" as seen in the "output.txt"
>>
>>
>> [Step 7]
>>
>> Run CWShredder and reboot.
>>
>> [Step 8]
>> Run Ad-Aware
>>
>> Reconfigure Ad-Aware for Full Scan:
>> Please update the reference file following the instructions here:
>> http://www.lavahelp.com/howto/updref/index.html
>>
>> Launch the program, and click on the Gear at the top of the start
>> screen.
>>
>> Click the "Scanning" button.
>> Under Drives & Folders, select "Scan within Archives".
>> Click "Click here to select Drives + folders" and select your
>> installed hard drives.
>>
>> Under Memory & Registry, select all options.
>> Click the "Advanced" button.
>> Under "Log-file detail", select all options.
>> Click the "Tweaks" button.
>>
>> Under "Scanning Engine", select the following:
>> "Include additional Ad-aware settings in logfile" and
>> "Unload recognized processes during scanning."
>> Under "Cleaning Engine", select the following:
>> "Let Windows remove files in use after reboot."
>> Click on 'Proceed' to save these Preferences.
>> Please make sure that you activate IN-DEPTH scanning before you
>> proceed.
>>
>> After the above post a fresh log ...
>> --
>>
>> Disclaimer: Renaming the "Windows" key modified some security
>> settings.
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> [NT\CurrentVersion\Windows]
>>
>> Right-click the "Windows" key, select: Permissions
>>
>> [Example]
>> Before renaming the "Windows" key:
>>
>> "Path"
>> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Windows" "Read":
>> *"Administrators
>> *Power Users
>> *Users"
>> "Write"
>> *"Administrators"
>>
>> --
>> [Example]
>>
>> After Renaming the key:
>>
>> "Path"
>> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Windows" "Read":
>> ***"Everyone"***
>> "Write"
>> *"Administrators
>> --
>>
>> You need to check that and if 'Everyone' was added (as seen above)
>> You need to reset your original settings as follows:
>> Note: do this after removing the infection.
>>
>> Right-click "Windows", select: Permissions
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> [NT\CurrentVersion\Windows]
>>
>> Click Advanced [button]
>> If the "inherit permissions" box is checked = Uncheck it.
>> Then select "COPY" on the prompt.
>>
>> Select "Everyone Group" (if listed) and remove. (only the group)
>> You can individually view/edit each group settings.
>> Be sure "Administrators" and "System" have full control on all.
>> Note: Creator owner full control on Sub keys only.
>> "Power users" and "users" = "read control".
>>
>> --
>> Ross
>> "imoorthy" <imoorthy@discussions.microsoft.com> wrote in message
>> news:4075A6D6-F292-492A-A665-086D48895B6B@microsoft.com...
>> > I have a Dell Inspiron 8200, laptop, 256 MB/30GB as my computer,
>> > and of course runs WIN XP PRO. I have the following problems.
>> >
>> > Extremely slow startup - 5-6 minutes and a slightly faster
>> > shutdown. 2-3 minutes.
>> >
>> > Slow response - click on the IE on quickstart it will take 2
>> > minutes for about blank IE to come up.
>> >
>> > I have triied to use the earlier solutions but with the following
>> > results.
>> I
>> > tried to download cwshredder and other such utilitites but I get
>> > the
>> message
>> > you are not allowed to access the (download) page.
>> >
>> > I also see that my dialup internet connection gets disconnected
>> frequently.
>> > I used the Dell modem helper and it says my modem is in use when I
>> > am not connected to the net (error code 67 - com port conflict)
>> >
>> > I have Norton AVS and ZL pro firewall.
>> >
>> > Please advise on next course of action.
>> >
>> > thanks in advance to the various wizards out there.
>> >
>> > RIM
>>
>>
>>
Your hosts file is probably hijacked also. First, clear out your hosts
file (instructions follow). Then - from another machine with a working
Internet connection and a cd burner - download all the tools you will
need to clean up the malware. Malware removal steps and links follow
the hosts file information.
Check the hosts files as follows:
1. In XP's Search preferences, set the files and folders handling to
Advanced, and then check the box that will make Search look in hidden
files/folders.
2. Now enter the search term "hosts" without the quotes.
3. You will get several hosts and lmhosts files. Double-click each one
to open it. When you do this, you'll get a Windows dialog box saying
that Windows cannot open this file, do you want to use the web or
select from a list to find the proper program. Choose "select from a
list" and highlight Notepad. Make sure the box to always use this
program to open this type of file is not checked.
4. Now carefully examine the file. Lines that begin with a # are
comments and don't count. Leave them alone. Unless you know you use a
proxy server to get to the
Internet or you added entries yourself, the only uncommented entry that
should be there is:
127.0.0.1 localhost
If you see any other entries, delete them and Save the file. Make sure
you scroll all the way down to the bottom of the window if there is a
scrollbar. Do this for each file you found. Now you should be able to
get to antivirus and spyware-fighting websites.
Malware removal (do all scans in Safe Mode with updated tools):
1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions.
2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.
Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).
HijackThis is an excellent tool to discover and disable hijackers, but
it requires expert skill. See below for HijackThis links. A combination
of HijackThis and About:Buster works well in removing the About:Blank
homepage hijacker. Again, this is an expert tool and novices should get
help with it.
3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).
4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.
5) Run a firewall.
Links to help with malware:
Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.majorgeeks.com - good download site
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/
General:
http://forum.aumha.org/ - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Malke
-- MS MVP - Windows Shell/User Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!"
- Next message: Ken Blake: "Re: reformat"
- Previous message: Ken Blake: "Re: How to delete update residue"
- In reply to: imoorthy: "Re: very slow WIN XP Pro and other issues"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
