Re: Need to repair or reinstall IE6

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 06/15/04 

Date: Mon, 14 Jun 2004 20:19:02 -0700

YW, Bob - Glad you got things cleaned up. 

-- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
 In news:OzAPafiUEHA.2484@TK2MSFTNGP11.phx.gbl,
BobV <robowa@comcast.net> typed:
> Hi Jim
>
> Thanks so much.  I did implement many of your suggestions, and now
> everything is back to normal.
>
> The WinSock XP Fix got the browser working again, CWShredder found some
> infected files, and then SpyBot took care of some SLOTCH hijacking files.
> It is very nice after many hours of troubleshooting, and days without IE
to
> be back to normal.
>
> I will look at the rest of your suggestions, and hopefully will not get
> reinfected.
>
> Thanks Again, Bob
>
>
> "Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
> news:uH1I$7YUEHA.2520@TK2MSFTNGP10.phx.gbl...
>> Hi Bob - Download and run WinSock XP Fix 1.2 from here:
>> http://www.spychecker.com/program/winsockxpfix.html   If you can't
download
>> it from another computer and transfer it by floppy, post back here, and
if
>> your email server will let you accept a 1.4 MB attachment, I'll email it
to
>> you as an attachment.  (Since you're on XP, run this even if you've
already,
>> as you say, run lspfix).  Since you don't state the steps you took to
remove
>> Incredifind, (and it can be particularly difficult to remove if you miss
>> even one thing), I would suggest that you do the following in order once
you
>> restore on-line access.
>>
>> (Run CWShredder then AdAware, SpyBot, and HijackThis (if needed), below,
in
>> that order).  Do the following:
>>
>>
>>
>> Before you try to remove spyware using any of the programs below,
download a
>> copy of LSPFIX from any of the following sites:
>>
>> http://www.cexx.org/lspfix.htm
>> http://www.mvps.org/sramesh2k/winsock.htm
>> http://www.spychecker.com/program/winsockxpfix.html  (if your OS is XP)
>> The process of removing certain malware may kill your internet
connection.
>> If this should occur, this program, LSPFIX, will enable you to regain
your
>> connection.
>>
>>
>>
>> Download, UPDATE before running, and run:
>> http://209.133.47.200/~merijn/files/CWShredder.exe to remove the
parasite.
>> Be sure to close all instances of IE and OE.   You may also get it here
if
>> that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
>>
>> BE SURE that you get v.158 or later!
>>
>> You will need to show Hidden files first and then at the end clear the
>> malware garbage from your System Restore backups after you've cleaned up.
>> It's best to perform CWShredder (and most other malware fixers too) from
>> Safe mode and then reboot. AFTER cleaning things up, then you can disable
>> and then re-enable System Restore.  See ******** below.
>>
>> The following links give instructions on how to do these various
functions:
>>
>>
>> HOW TO Restart in Safe Mode
>>
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406>
>>
>> HOW TO Enable Hidden Files
>>
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339>
>>
>> HOW TO Disable/Flush System Restore  (do this at the end AFTER cleaning
or
>> use the suggested procedure for XP at the ******'s)
>>
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039>
>> (WinXP)
>>
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239>
>> (WinME)
>>
>>
>>
>> Then download and run:
>> http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
>> tabs and remove any restrictions that the parasite has put in place.
>>
>> Now download and run:
>> http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
>> your search functions if they've been affected (as they probably will
have
>> been).
>>
>>
>> Be sure that you also download and install hotfix Q816093, here:
>>
>> http://support.microsoft.com/?kbid=816093
>>
>> which blocks the exploit upon which this parasite family depends.
>>
>>
>>
>> However, this also indicates that you may have acquired some other
malware
>> along the way. If you go to this page at Jim Eshelman's site, here:
>> http://aumha.org/a/noads.htm and wait a little bit (be patient), an
analysis
>> of a number of possible parasites on your machine will be made to help
you
>> identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone
>> Alarm 3.x, if present or any other Ad Blocking software which interferes
>> with Java Scripting for this scan to work. You should get a message
between
>> the two lines of **** giving the results of the scan.
>>
>> Get Ad-Aware 6.0, Build 181 or later, here:
>> http://www.lavasoftusa.com/support/download/.  UPDATE and run this
regularly
>> to get rid of most "spyware/hijackware" on your machine.   If it has to
fix
>> things, be sure to re-boot and rerun AdAware again and repeat this cycle
>> until you get a clean  scan.  The reason is that it may have to remove
>> things which are currently "in use" before it can then clean up others.
>>
>> Another excellent program for this purpose is SpyBot Search and Destroy
>> available here:  http://security.kolla.de/  SpyBot Support Forum here:
>> http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi.   I
recommend
>> using both normally.  After UPDATING and fixing things with SpyBot S&D,
be
>> sure to re-boot and rerun SpyBot again and repeat this cycle until you
get a
>> clean "no red" scan.  The reason is that SpyBot sometimes has to remove
>> things which are currently "in use" before it can then clean up others.
>>
>> Note that sometimes you need to make a judgement call about what these
>> programs report as spyware. See here, for example:
>> http://www.imilly.com/alexa.htm
>>
>> Both of these programs should normally be UPDATED and run after doing any
>> other fix such as CWShredder and, as a minimum, normally at least once a
>> week.
>>
>>
>>
>> If they don't fix it then start here:
>>
>> Download HijackThis, free, here:
>> http://209.133.47.200/~merijn/files/HijackThis.exe  (Always download a
new
>> fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)
>> You may also get it here if that link is blocked:
>>
>
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b5529
> 82a8baee6434cfc13
>>
>> In Windows Explorer, click on Tools|Folder Options|View and check "Show
>> hidden files and folders"  and uncheck  "Hide protected operating system
>> files".  (You may want to restore these when you're all finished with
>> HijackThis.)
>>
>> Unzip the downloaded HijackThis to any convenient folder, start it then
>> press Scan. Click on SaveLog when it's finished which will create
>> hijackthis.log. Now click the Config button, then Misc Tools and click on
>> Generate StartupList.log which will create Startuplist.txt
>>
>> Then go to one of the following forums:
>>
>> Spyware and Hijackware Removal Support, here:
>> http://216.180.233.162/~swicom/forums/
>>
>> or Net-Integration here:
>>
>
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57
> b5f65b6e40c55365e;act=ST;f=27;t=6949
>>
>> or Tom Coyote here:  http://forums.tomcoyote.org/index.php?act=idx
>>
>> Sign in, then copy and paste both files into a message asking for
>> assistance, Someone will answer with detailed instructions for the
removal
>> of your parasite(s).
>>
>>
>> *******
>> ONLY IF you've successfully eliminated the malware, you can now make a
new,
>> clean Restore Point and delete any previously saved (possibly infected)
>> ones. The following suggested approach is courtesy of Gary Woodruff:  For
XP
>> you can run a Disk Cleanup cycle and then look in the More Options tab.
The
>> System Restore option removes all but the latest Restore Point. If there
>> hasn't been one made since the system was cleaned you should manually
create
>> one before dumping the old possibly infected ones.
>> *******
>>
>>
>> Once you get this cleaned up, you might want to consider installing the
>> SpywareBlaster and SpywareGuard here to help prevent this kind of thing
from
>> happening in the future:
>>
>> http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware
Active
>> X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
>> memory load - but keep it UPDATED) The latest version as of this writing
>> will prevent installation or prevent the malware from running if it is
>> already installed, and it provides information and fixit-links for a
variety
>> of parasites.
>>
>> http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts
to
>> install malware) Keep it UPDATED.  Both Very Highly Recommended
>>
>>
>> Finally, go to Windows Update and ensure that ALL Critical updates are
>> installed.
>>
>> --
>> Please respond in the same thread.
>> Regards, Jim Byrd, MS-MVP
>>
>>
>>
>>  In news:O$PQft8TEHA.3332@TK2MSFTNGP12.phx.gbl,
>> BobV <robowa@comcast.net> typed:
>>> Unfortunately my browser was hijacked by Incredifind.  Using directions
I
>>> found on the net I was able to remove it, but it left me a browser that
only
>>> gives me the -- can't display page-- message.
>>>
>>> I have tried to uninstall and reinstall IE using regedit with no luck. I
>>> also reinstalled XP as an upgrade with no luck.  I downloaded a new copy
of
>>> IE6 from the net and installed also with no success.  I was able install
XP
>>> on another partition, and this works fine.  I am now using Netscape
(Ugh) as
>>> my browser on my original partition, but am not all that happy with
either
>>> of the two solutions.
>>>
>>> I have spent considerable time searching on the net including MS
Knowledge
>>> Base with no fix.
>>>
>>> lspfix didn't help either
>>>
>>> Any ideas?
>>>
>>> Thanks in advance, Bob