Re: How do I remove the pop up ad virus?

From: Sandi - Microsoft MVP (
Date: 02/05/04

Date: Thu, 5 Feb 2004 21:12:10 +0800

Hi Eric,

You will find various shutdown problems discussed at the URL below:

Sandi - Microsoft MVP since 1999 (IE/OE)
"Eric" <> wrote in message 
>I ran all the programs you suggest and it removed the virus.  I just
> downloaded and ran them all, so I'm not sure which one worked, but
> wscript.exe doesn't show in my task list anymore.  Wherever it was loading
> from, it appears to have been removed.
> Now the only issue I have is shutting down.  When I selected Shutdown
> yesterday, it went to a black screen with a blinking cursor and didn't 
> shut
> off.  It has done this a couple times before.  This is on Windows ME.
> My PC at work also has issues with not shutting down right.  It has 
> Windows
> 2000.  There is no error message.  Sometimes it just reboots when I 
> selected
> shutdown.  Sometimes it appears to shut down properly, but the next time I
> boot it up, I get that disk checking thing that should only appear if it 
> was
> shut down improperly.  There are no error messages.
> "Sandi - Microsoft MVP" <> wrote in message
> news:#EbhJMP4DHA.2348@TK2MSFTNGP10.phx.gbl...
>> Temp files and IE caches are two places to look.  Some of the following
>> advice is repetitious, but...
>> Get yourself a copy of BHODemon, available at
>> .
>> It does not need installing - simply unzip and run the EXE programme. It
> is
>> very easy to use.  It will often find the following hijackware DLL files,
>> and give you the ability to disable them easily.
>> Many people like AdAware, available at Make sure you 
>> keep
>> the signature files up to date and remember, AdAware only removes the
>> current install; it can't do anything about software that reinstalls
> itself
>> (unless you want to get stuck in an endless loop of
>> hijack/cleanout/hijack/cleanout). Sometimes you will have to track down
> and
>> remove the software that keeps putting the hijackware back - hence this
>> advice section.  Warning: AdAware is now version 6.181. All previous
>> versions are NO LONGER SUPPORTED and will not be updated.
>> The more experienced user can try Spybot. Again, it is a free programme
>> which can be downloaded from:  Warning: it is
>> a good programme for the inexperienced.  If you want to use this
> programme,
>> please get the advice of those more experienced before 'fixing' anything
>> that it finds.
>> Go to the link below to check your system for parasites (supplied by
>> Another excellent programme that allows you to examine your system and
>> *create a results log for experts to examine* is HijackThis, available
> from:
>> Download and run the latest version of "Cool Web Shredder"
>> Here is advice specific to:
>> home page hijackings
>> pop-up ads
>> search engine hijackings
>> IMPORTANT: The above programmes are excellent, and a lot of credit goes 
>> to
>> those who authored and update the programmes, but they can NOT detect
>> everything that is out there - as time goes on the programmes will become
>> more and more unwieldy if they try to maintain a standard of positive
>> identification for as much spyware as possible, and it will be harder and
>> harder for the programmes to catch everything that is out there. More and
>> more spyware uses RANDOM names as part of their programme making it
>> impossible for positive identification to occur, therefore....
>> It is VERY IMPORTANT that you learn how to examine your system for
> potential
>> problems as well as using 'fixit' programme such as AdAware or Spybot.
>> Check your startup folder and MSCONFIG (startup tab).  You can also check
>> the following registry keys and edit as appropriate (if you have
> experience
>> with same).
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
>> The following link will lead you to some Microsoft KB articles about the
>> basics of the Registry and working with it:
>> An experienced computer technician can use programme such as AutoStart
>> Viewer for in-depth diagnosis:
>> Empty your IE cache and your other temporary file folders, eg:
>> c:\windows\temp (if using Windows 98) or  C:\Documents and
>> Settings\<name>\Local Settings\Temp (the path to your temp folder will
>> change depending on your name) - sometimes programmes can be hidden in
>> there - watch out for mysterious *.exe files or *.dll files in those
>> folders.
>> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>> Button}, View Objects, Downloaded Programme Files. Check for unusual
> objects
>> there.
>> Go to IE Tools, Internet Options, Accessibility.  Make sure there is no
>> style sheet chosen (under User Style Sheet - format documents using my
> style
>> sheet). If the option is turned on, turn it OFF.
>> It is possible to turn off third party extensions (Enable third-party
>> browser extensions (requires restart) at IE tools, internet options,
>> advanced) to disable *all* plug-ins but troubleshooting will be difficult
>> and it is only a BANDAID. Nothing gets fixed.  There is software that
>> depends on 'third party browser extensions" to work, including Acrobat,
>> Microsoft Money, and many other programmes.
>> --
>> _______________________________________
>> Sandi - Microsoft MVP since 1999 (IE/OE)
>> "Eric" <> wrote in message
>> news:%23iVpHBP4DHA.2380@TK2MSFTNGP09.phx.gbl...
>> >I apparently have a virus on my home PC, and I can't figure out how it
>> > executes.  A program called wscript.exe runs when I boot up and I don't
>> > know
>> > where it's coming from.  If I don't kill it from the task manager, it
> runs
>> > unnoticed for a while in the background.  After a while, a pop up ad
>> > window randomly appears.  If I kill the process wscipt.exe, I don't get
>> > the
>> > pop up windows.  How does this program start itself?  I checked
> everywhere
>> > I
>> > know of that runs things on startup and it still runs.  My operating
>> > system
>> > is Windows ME.  Here's what I've tried:
>> >
>> > 1) I checked the Start - Programs - Startup folder for anything I don't
>> > recognize and found nothing.
>> > 2) I checked the registry using Regedit.  I looked in all 4 Run keys 
>> > and
>> > removed anything I didn't recognize, including:
>> > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>> >
> \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
>> > \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>> > \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
>> > 3) I ran programs to remove viruses and popups, including AdAware from
>> >, AVG from
>> > , and Spybot from
>> > 4) I checked Msconfig, didn't see anything in there containing
> wscript.exe
>> > and didn't want to remove anything since I don't know what most of that
>> > is.
>> > 5) I checked a virus vendor website referred to by Jimmy S on
>> >  One of his two links just seemed to
>> > recommend paying them for their software and sounded like they couldn't
> do
>> > anything for you unless you pay them.  The other link had references to
>> > check in the registry.  I checked all the registry entries, and they
> were
>> > exactly as the site said they should be.  The links were:
>> >
>> > and
>> >
>> > A
>> > 6) I periodically run Regedit and select the Export option on the menu
> and
>> > choose to export all branches, so I ran Regedit and selected to Import 
>> > a
>> > registry file that I believe was before the problem started.
>> > 7) I checked for win.ini in the c:\Windows\System and
> c:\Windows\System32
>> > path and looked for any references in it to load= or run= .  I also
>> > checked
>> > for anything in c:\autoexec.bat and c:\config.sys.  I didn't see
> anything
>> > there.
>> > 8) I tried reinstalling Windows ME over my current installation.
>> >
>> > The problem still exists.  wscript.exe loads every time I boot up and 
>> > if
> I
>> > don't kill it, I get pop up windows.  Where else am I missing?  Where
>> > could
>> > wscript.exe be starting from?  I'm not sure what else to do to fix it
>> > short
>> > of searching my hard drive for anything I want to save and trying to
> back
>> > it
>> > all up, then reformatting and reinstalling Windows from scratch.  After
>> > exhausting all other known options, Jimmy referred me to this board.
> Help
>> > please!
>> >
>> >
>> >
>> >

Relevant Pages

  • Re: Empfehlung fuer Linux-Einsteigerseite?
    ... Der Desktop ist unter Linux in viel weiterem Umfang einstellbar als bei ... Verwendung der Maustasten ist meist ziemlich ähnlich wie in Windows, ... der in deiner Bekanntschaft auch ein Linux hat. ... Solche Programme werden typischerweise nicht über ...
  • Re: Hardware ansprechen
    ... man nennt es Wintel windows braucht bessere hardware ... (was sagt MS nochmal über zugriffe auf die Hardware?) ... Du darfst nur treiber verwenden die von MS ... direkten Einfluss auf andere Programme unter Windows. ...
  • Re: Hamegs HMO und SCPI
    ... Windows ist erstaunlich gut rueckwartskompatibel. ... Programme ohne Alternative für andere OS. ... zusammen mit dem Entwickler verbessert werden musste (keine ... Die Instek PC-Software ist so ein Beispiel. ...
  • Re: IE6 on Win XP hangs for 20 seconds after each page
    ... >>remove the software that keeps putting the hijackware back ... > free programme ... >>Go to IE Tools, Internet Options, Temporary Internet Files ... >>>>I have IE6 on a Windows XP system. ...
  • Re: IE6.0 wont launch - "Internet signup file is corrupt"
    ... the error message you reproduce is *not* standard to windows. ... It does not need installing - simply unzip and run the EXE programme. ... It will often find the following hijackware DLL files, ... Go to IE Tools, Internet Options, Temporary Internet Files {Settings ...