Re: ie,...again

From: Jan Il (abuse_at_localhost.com)
Date: 09/21/04 

Date: Mon, 20 Sep 2004 21:18:59 -0700

Hi Pussn :-)

Glad to hear that you are finally able to get your machine back in service,
and all you have now is a Admin issue, and it looks like Ricky has good
information for you on this.

The main thing is that you are back up again. I learned a few new things
through this too ;-)))

Thank you for posting back and letting us know the details of what worked
for you, and for the benefit of other readers who may have a similar
problem. :-)

Jan :)
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

> HI Jan!
>
> I had my brother in law to come up yesterday to give
> me a hand and we tried some things before you post came
> up. I apologize ahead also for the lenghty post, but like
> your credo is, information for the masses to share is the
> way to go.
> When I was giving up, I was at the point where the
> Welcome page came up, but it would not let you log on,
> instead it would immediatly log you off. That was no
> good, since I couldn't do anything. I took Rick's
> suggestion and checked out the sites he posted and though
> I found some interesting info, I didn't delve too deep in
> the registry because I wasn't comfortable with it.
> It was suggested in one of those sites to boot from
> the OS CD and go into the recovery mode to do some
> tinkering in there but I ran into a wall there until I
> realized I did a newbie move and hadn't put the CD as the
> #1 boot sequence, which finally worked once I rectified
> that embarassement.
> Bro in law did some tinkering in there, explaining
> as he worked away, but some of it was over my head, so I
> can't really share what I didn't understand. We weren't
> making headway in there, so it was decided that we would
> re-install Windows (but not play with the data). That
> worked VERY well, but I had a problem with MY documents
> (kids worked fine) because I had password protected my
> account. When I try to open MY documents, it says I can't
> access it. So now, to finally finish what I started (and
> some other problems that fell into my lap)the only thing
> left is to find out how to crack into that My document,
> the original one before I reinstalled Windows.
> I apologize, after all the research you probably did,
> that I had gone another route. I hope you, or anybody
> else, can help me figure out this last problem.
>
> Thanks a million!
> Pussn
>
>
>
>
>
>
>
>
>
>
>
>> -----Original Message-----
>> Hi Pussn :-)
>>
>>> I should have also mentioned in my first post that I have
>>> absolutely no access to any of the four accounts on the
>>> pc. As soon as I try one, it says 'loading personal
>>> settings', then promptly shuts down, logging off etc. So
>>> there is NO way I can install a program on that pc. I've
>>> tried safe mode, and I'm still getting the same results.
>>> This suuucks.
>>
>> Okie Doke! Here are a couple of AV's you can use and run from DOS,
>> and hopefully, they may kill enough of the junkware to allow you
>> access the Windows Explorer and run the other cleaning programs.
>>
>> F-Prot - Home Use - Free
>> http://www.f-prot.com/products/home_use/win/
>>
>> Here is how to create the 3.5 floppy disks to run it from.
>> http://crowleys.crsc.k12.ar.us/documents/fprot.htm
>> Follow all the instructions carefully. Prepare the floppy's from
>> the other mahcine to run on yours.
>>
>> and ......
>>
>> AVG6 Free:
>> http://www.grisoft.com/us/us_dwnl_free.php
>>
>> Copy AVG files to the hard drive and then follow the steps here:
>>
>> Start the computer in MS-DOS mode (hold down F8 key while computer is
>> booting up, then from Windows start-up menu
> select "start in MS-DOS mode" or
>> "Command prompt only").
>> Switch to AVG Anti-Virus destination folder using these steps
>> (assuming this is the path AVG is installed to) C:\Program
>> Files\Grisoft\AVG6 as destination folder):
>> Start AVG for MS-DOS application: avg
>> In this DOS application, every feature could be selected by pressing
>> the key with other color (or the key in combination with ALT key).
>> So it is necessary to choose the Test menu, Complete test item, and
>> start the test. Select "Heal virus"
>> In case of infectiuon of some system files should be necessary to
>> reinstall operating system, to restore the files from backup or to
>> extract the files from installation *.cab archives .
>>
>> Or...install the AVG on the other machine and then burn the folder
>> to the CD. Try to copy the folder to the hard drive of your machine
>> and run from there, but, it not, then try to run it from the CD,
>> using the path to the CD as the location. Don't know about that for
>> sure, but.....you can try. :-)
>>
>> Please post back with the results and any error messages you may get.
>>
>> Jan :)
>> Smiles are meant to be shared,
>> that's why they're so contagious.
>>
>> Please reply to the newsgroup so others may benefit.
>> Replies are posted only to the newsgroup for the benefit or other
>> readers.
>>
>> How to make a good newsgroup post:
>> http://www.dts-l.org/goodpost.htm
>>
>>
>>
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> Hi Pussn :-)
>>>>
>>>> Don't give up so easy! So.....let's work together a bit here and
>>>> try to take back your PC. :-))
>>>>
>>>> (NOTE: If you can not download these programs from the Internet, if
>>>> your PC has CD read capabilities, go to another computer with CD-
>>>> ROM burning capabilities. Create a folder on the hard drive of the
>>>> other computer called HOLD, download the programs to that folder,
>>>> then burn that folder to a CD. Copy the HOLD folder to your HD and
>>>> then install the programs from there and run them. After you have
>>>> IE access again, update all programs where possible to get the
>>>> latest definitions and run them again to be sure there are no
>>>> lingering items on the system.) Hopefully, you know someone with
>>>> a PC you can use that has CD burner capability, or go to a public
>>>> library.
>>>>
>>>> Understand that reinstalling IE or your OS at this point will not
>>>> resolve the problem, and may even make it worse, so please, DO NOT
>>>> try to reinstall anything until you have cleaned your system. Do
>>>> the following, and the parts you can't do from your PC, do from
>>>> another, but, do them. We can't do the work there for you there,
>>>> so, this is your end of the partnership. <g> However, if at any
>>>> time you have a question or problem, post back here and we'll help
>>>> you work through it. OK? :-))
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> Please follow all instructions carefully:
>>>>
>>>> Courtesy of Jim Byrd:
>>>>
>>>> Sounds like this might be a variant of some malware called
>>>> CoolWebSearch (if CWShredder doesn't fix it, then see AdAware,
>>>> SpyBot, and HijackThis, below, in that order). Do the following:
>>>>
>>>>
>>>> #########IMPORTANT#########
>>>> Before you try to remove spyware using any of the programs below,
>>>> download both a copy of LSPFIX here:
>>>>
>>>> http://www.cexx.org/lspfix.htm
>>>>
>>>> AND a copy of Winsockfix
>>>> http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
>>>> Directions here:
> http://www.tacktech.com/display.cfm? ttid=257
>>>>
>>>> The process of removing certain malware may kill your internet
>>>> connection. If this should occur, these programs, LSPFIX and
>>>> WINSOCKFIX, will enable you to regain your connection.
>>>>
>>>> NOTE: It is reported that in XP SP2, the command netsh winsock
>>>> reset will fix this problem without the need for these programs.
>>>> #########IMPORTANT#########
>>>>
>>>>
>>>>
>>>> #########IMPORTANT#########
>>>> All of the following removal tools should be run from Safe mode
>>>> when possible.Reboot and test if the malware is fixed after using
>>>> each tool. #########IMPORTANT#########
>>>>
>>>>
>>>> Download and run Stinger.exe, here:
>>>> http://download.nai.com/products/mcafee-
>>> avert/stinger.exe or from the link
>>>> on this page: http://vil.nai.com/vil/stinger/
>>>>
>>>>
>>>> Download sysclean.com, from Trend Micro, here:
>>>> http://www.trendmicro.com/download/dcs.asp along with the latest
>>>> pattern file, here:
>>> http://www.trendmicro.com/download/pattern.asp (You
>>> might also
>>>> want to get Art's updater, SYS-UP.Zip, here for future updating of
>>>> these: http://home.epix.net/~artnpeg/). Place them in a dedicated
>>>> folder after appropriate unzipping, and then run.
> (If you download
>>>> and use the updater from the beginning, it will automatically
>>>> handle downloading the other files.)
>>>>
>>>>
>>>> Sometimes the tools below will find files which they are unable to
>>>> delete because they are in use. A program called Copylock, here,
>>>> http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the
>>>> process of "replacing, moving, renaming or deleting one or many
>>>> files which are currently in use (e.g. system files like
>>>> comctl32.dll, or virus/trojan files.)"
>>>>
>>>>
>>>> Download, UPDATE before running, and run:
>>>> http://209.133.47.200/~merijn/files/CWShredder.exe or here:
>>>> http://hem.bredband.net/b157129/f/cwshredder.zip or here:
>>>>
> http://www.softpedia.com/public/scripts/downloadhero/10-
> 17-150/ or
>>>> here:
> http://www.zerosrealm.com/downloads/CWShredder.zip
>>>> to remove the parasite. Be sure to close all instances of IE and
>>>> OE.
>>>>
>>>> There's a good tutorial about CWS and using CWShredder here:
>>>> http://www.bleepingcomputer.com/forums/index.php?
>>>> showtutorial=47#domain
>>>>
>>>> BE SURE that you get v.1.59.0.1 or later!
>>>>
>>>> You will need to show Hidden files first and then at the end clear
>>>> the malware garbage from your System Restore backups after you've
>>>> cleaned up. It's best to perform CWShredder (and most other malware
>>>> fixers too) from Safe mode and then reboot. AFTER cleaning things
>>>> up, then you can disable and then re-enable System Restore. See
>>>> ******** below.
>>>>
>>>> The following links give instructions on how to do these various
>>>> functions:
>>>>
>>>> HOW TO Restart in Safe Mode
>>>>
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>>>> 2001052409420406
>>>>
>>>> HOW TO Enable Hidden Files
>>>>
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>>>> 2002092715262339
>>>>
>>>> HOW TO Disable/Flush System Restore (do this at the end AFTER
>>>> cleaning or use the suggested procedure for XP at the ******'s)
>>>>
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>>>> 2001111912274039 (WinXP)
>>>>
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>>>> 2001012513122239 (WinME)
>>>>
>>>> Then download and run:
>>>> http://www.kellys-korner-
> xp.com/regs_edits/iegentabs.reg to restore
>>>> your tabs and remove any restrictions that the parasite has put in
>>>> place.
>>>>
>>>> Now download and run:
>>>> http://www.kellys-korner-
>>> xp.com/regs_edits/RestoreSearch2.REG to restore
>>>> your search functions if they've been affected (as they probably
>>>> will have been).
>>>>
>>>> Be sure that you also download and install hotfix Q816093, here:
>>>> http://support.microsoft.com/?kbid=816093
>>>> which blocks the exploit upon which this parasite family depends.
>>>>
>>>> However, this also indicates that you may have acquired some other
>>>> malware along the way. If you go to this page at Jim Eshelman's
>>>> site, here: http://aumha.org/a/noads.htm and wait a little bit (be
>>>> patient), an analysis of a number of possible parasites on your
>>>> machine will be made to help you identify and remove them. NOTE:
>>>> You will need to disable Ad Blocking in Zone Alarm 3.x or later, if
>>>> present or any other Ad Blocking software which interferes with
>>>> Java Scripting for this scan to work. You should get a message
>>>> between the two lines of **** giving the results of the scan.
>>>>
>>>> Get Ad-Aware SE Personal Edition, here:
>>>> http://www.lavasoftusa.com/support/download/.
> UPDATE, set it up in
>>>> accordance with this:
>>> http://forum.aumha.org/viewtopic.php?t=5877 or the
>>>> directions immediately below and run this regularly to get rid of
>>>> most "spyware/hijackware" on your machine. If it has to fix
>>>> things, be sure to re-boot and rerun AdAware again and repeat this
>>>> cycle until you get a clean scan. The reason is that it may have
>>>> to remove things which are currently "in use" before it can then
>>>> clean up others. Configure Ad-aware for a customized scan, and
>>>> let it remove any bad files found.....
>>>>
>>>> <Begin Setup Directions>
>>>> Then, courtesy of NonSuch at Lockergnome, open Ad- aware then click
>>>> the gear wheel at the top and check these options to configure Ad-
>>>> aware for a customized scan:
>>>>
>>>> General> activate these: "Automatically save log- file" and
>>>> "Automatically quarantine objects prior to removal"
>>>>
>>>> Scanning > activate these: "Scan within
> archives", "Scan active
>>>> processes", "Scan registry", "Deep scan
> registry," "Scan my IE
>>>> Favorites for banned sites," and "Scan my Hosts file"
>>>>
>>>> Tweaks > Scanning Engine> activate this: "Unload recognized
>>>> processes during scanning."
>>>>
>>>> Tweaks > Cleaning Engine: activate
> these: "Automatically try to
>>>> unregister objects prior to deletion" and "Let Windows remove files
>>>> in use after reboot."
>>>>
>>>> Click "Proceed" to save your settings, then
>>> click "Start." Make sure
>>>> "Activate in-depth scan" is ticked green, then scan your system.
>>>> When the scan is finished, the screen will tell you if anything has
>>>> been found, click "Next." The bad files will be listed. Right click
>>>> the pane and click "Select all objects" - This will put a check
>>>> mark in the box at the side, click "Next" again and
> click "OK" at the
>>>> prompt "# objects will be removed. Continue?"
>>>> <End Setup Directions>
>>>>
>>>> Courtesy of
>>> http://www.nondisputandum.com/html/anti_spyware.html:
>>> HINT: If
>>>> Ad Aware is automatically shut-down by a malicious software, first
>>>> run AWCloak.exe,
>>> http://www.lavasoftnews.com/downloads/AAWCloak.exe,
> before
>>>> opening Ad Aware. When AAWCloak is open,
> click "Activate Cloak".
>>>> Than open Ad Aware and scan your system.
>>>>
>>>>
>>>> Another excellent program for this purpose is SpyBot Search and
>>>> Destroy available here: http://security.kolla.de/ SpyBot Support
>>>> Forum here: http://www.net-integration.net/cgi-
>>> bin/forums/ikonboard.cgi. I recommend
>>>> using both normally. After UPDATING and fixing ONLY RED things
>>>> with SpyBot S&D, be sure to re-boot and rerun SpyBot again and
>>>> repeat this cycle until you get a clean "no red" scan. The reason
>>>> is that SpyBot sometimes has to remove things which are currently
>>>> "in use" before it can then clean up others.
>>>>
>>>> Note that sometimes you need to make a judgement call about what
>>>> these programs report as spyware. See here, for example:
>>>> http://www.imilly.com/alexa.htm
>>>>
>>>> Both of these programs should normally be UPDATED and run after
>>>> doing any other fix such as CWShredder and, as a minimum, normally
>>>> at least once a week.
>>>>
>>>> If they don't fix it then start here:
>>>>
>>>> Download HijackThis, free, here:
>>>> http://209.133.47.200/~merijn/files/HijackThis.exe (Always download
>>>> a new fresh copy of HijackThis [and CWShredder also] -
> It's UPDATED
>>>> frequently.) You may also get it here if that link is blocked:
>>>> http://www.majorgeeks.com/downloadget.php?
>>> id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>>>> or here:
>>>
> http://www.bleepingcomputer.com/files/spyware/hijackthis.z
>>> ip
>>>>
>>>> In Windows Explorer, click on Tools|Folder Options|View and check
>>>> "Show hidden files and folders" and uncheck "Hide protected
>>>> operating system files". (You may want to restore these when
>>>> you're all finished with HijackThis.)
>>>>
>>>> Place HijackThis.exe or unzip HijackThis.zip into its own dedicated
>>>> folder at the root level such as C:\HijackThis (NOT in a Temp
>>>> folder or on your Desktop), reboot to Safe mode, start HT (have
>>>> ONLY HT running - IE MUST be closed) then press Scan. Click on
>>>> SaveLog when it's finished which will create hijackthis.log. Now
>>>> click the Config button, then Misc Tools and click on Generate
>>>> StartupList.log which will create Startuplist.txt
>>>>
>>>> Then go to one of the following forums:
>>>>
>>>> Spyware and Hijackware Removal Support, here:
>>>> http://forums.spywareinfo.com/
>>>>
>>>> or Net-Integration here:
>>>> http://www.net-integration.net/cgi-
>>> bin/forum/ikonboard.cgi?
>>> s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>>>>
>>>> or Tom Coyote here:
>>> http://forums.tomcoyote.org/index.php?act=idx
>>>> or Jim Eshelman's site here: http://forum.aumha.org/
>>>> or Bleepingcomputer here:
>>> http://www.bleepingcomputer.com/
>>>> or Computer Cops here:
>>> http://www.computercops.biz/forums.html
>>>>
>>>>
>>>> Register if necessary, then sign in and READ THE DIRECTIONS at the
>>>> beginning of the particular site's HiJackThis forum, then copy and
>>>> paste both files into a message asking for assistance, Someone will
>>>> answer with detailed instructions for the removal of your
>>>> parasite(s). Be sure you include at the beginning of your post a
>>>> description of "What specific problem(s)/symptoms you're trying to
>>>> solve" and "What steps you've already taken."
>>>>
>>>>
>>>> *******
>>>> ONLY IF you've successfully eliminated the malware, you can now
>>>> make a new, clean Restore Point and delete any previously saved
>>>> (possibly infected) ones. The following suggested approach is
>>>> courtesy of Gary Woodruff: For XP you can run a Disk Cleanup
>>>> cycle and then look in the More Options tab. The System Restore
>>>> option removes all but the latest Restore Point. If there hasn't
>>>> been one made since the system was cleaned you should manually
>>>> create one before dumping the old possibly infected ones. *******
>>>>
>>>> Once you get this cleaned up, you might want to consider installing
>>>> Eric Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help
>>>> prevent this kind of thing from happening in the future:
>>>>
>>>> IESpyads -
>>> https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-
>>> SPYAD adds
>>>> a long list of sites and domains associated with known advertisers,
>>>> marketers, and crapware pushers to the Restricted sites zone of
>>>> Internet Explorer. Once you merge this list of sites and domains
>>>> into the Registry, the web sites for these companies will not be
>>>> able to use cookies, ActiveX controls, Java applets, or scripting
>>>> to compromise your privacy or your PC while you surf the Net. Nor
>>>> will they be able to use your browser to push unwanted pop- ups,
>>>> cookies, or auto-installing programs on your PC." Read carefully.
>>>>
>>>> http://www.javacoolsoftware.com/spywareblaster.html (Prevents
>>>> malware Active X installs) (BTW, SpyWareBlaster is not memory
>>>> resident ... no CPU or memory load - but keep it UPDATED) The
>>>> latest version as of this writing will prevent installation or
>>>> prevent the malware from running if it is already installed, and
>>>> it provides information and fixit-links for a variety of parasites.
>>>>
>>>> http://www.javacoolsoftware.com/spywareguard.html (Monitors for
>>>> attempts to install malware) Keep it UPDATED. All three Very
>>>> Highly Recommended
>>>>
>>>> Finally, go to Windows Update and ensure that ALL Critical updates
>>>> are installed.
>>>>
>>>>
>>>> If these steps do not resolve your problem, please post back to
>>>> this thread with the details and any error messages.
>>>>
>>>>
>>>> Hope this helps
>>>>
>>>> Jan :)
>>>> Smiles are meant to be shared,
>>>> that's why they're so contagious.
>>>>
>>>> Please reply to the newsgroup so others may benefit.
>>>> Replies are posted only to the newsgroup for the benefit or other
>>>> readers.
>>>>
>>>> How to make a good newsgroup post:
>>>> http://www.dts-l.org/goodpost.htm
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>> -----Original Message-----
>>>>>> Hi again
>>>>>>
>>>>>> I'm still having a problem with IE6! OS is XP with
>>>>>> SP2 (I'm assuming, I see windows SR 2.0 in my programs
>>>>>> list), and I think I've been attacked by a virus or
>>>>>> whatever is out there that's taken out my browser. It
>>>>>> comes up but doesn't connect to the internet. I've gone
>>>>>> to Microsoft to download it again, but it still doesn't
>>>>>> work!
>>>>>> I've gone back to several posts screaming for help
>>>>>> but the responses are a little confusing to this still
>>>>>> newbie. Registry? Backing it up? How does one do that?
>>>>>> How does one check it for viruses? I think what I need
>>>>>> here is someone to lead me by the hand, I'm that nervous
>>>>>> about digging around that deep inside the pc. Or would it
>>>>>> better for me just to scrub everything clean (format) and
>>>>>> start fresh?
>>>>>> So, is there anyone out there willing to give this
>>>>>> ole gal a helping hand? Please? I'll bake you a
>>> pie ;O)
>>>>>>
>>>>>> Regards and thanks in advance, Pussn
>>>>>>
>>>>>> PS-Not much meat to the info, I know, so please, go ahead
>>>>>> and ask! I just don't know what else to add. Thanks
>>>>>> .
>>>>>>
>>>>>
>>>>> Never mind....whatever it was that took out my browser
>>>>> has now locked me out completly from the pc, can't even
>>>>> get into my own account. Nothing. Stoopit hackers. I hate
>>>>> em all!
>>>>
>>>>
>>>> .
>>
>>
>> .

Loading