Re: Getting rid of residual adware/spyware elements

From: Mike Burgess (winhelp2002_at_spamthis.com)
Date: 02/08/04 

Date: Sun, 8 Feb 2004 08:04:22 -0500

Jeff,
Do you have a link to where you posted your HT log?
I'll have a look ..... as for the HOSTS file, when you see that
message like that, it means it's been hijacked (altered) by one
or more parasites that are now redirecting or preventing you
from accessing some sites.

You can either rename the file, or as suggested you can delete
it and obtain another (see below)
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04]
Please post replies to this Newsgroup, email address is invalid 

--
"Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message
news:eMESneO7DHA.488@TK2MSFTNGP12.phx.gbl...
> Hi Mike,
>
> Apologies for the delay and oversight in noticing the link also mentioned
> deleting the Temp folder. My bad.
>
> Ok, I did the deltree option and deleted the History, Temp, and TIF
folders.
> Restarted the machine and immediately went to the TIF folder before doing
> anything else.
> There were two files in it:
>
> SelectorV2[1].htm
> skin[1].htm
>
> I deleted them immediately.
> The vupd folder in the Temp directory also was back.
> Frustrating!
>
> I downloaded the HijackThis.exe and scanned.
> There definitely appears to be still some problems.
> It said I should probably delete the Hosts file.
> What would happen if I do that?
> I think there are some other Hosts files as well.
> Should I delete them all??
>
> I saved the scan log from HijackThis and posted a question on the forum
> mentioned elsethread.
>
> I've very hesitant about proceeding further without expert advice; I don't
> want to make a mistake on their computer and blow it up!
>
> Thanks for any guidance,
> Jeff
>
>
> "Mike Burgess" <winhelp2002@spamthis.com> wrote in message
> news:#U6fLIT6DHA.2712@tk2msftngp13.phx.gbl...
> > Jeff,
> > > The link you pointed me to discusses emptying the Temporary Internet
> File
> > Folder"
> > If you look again ........ it does include the "Temp" folder.
> > http://mvps.org/winhelp2002/delcache.htm#Win98
> > --
> > Restart in Ms-Dos Mode
> > From C:\> (type and press Enter after each command)
> >
> > cd\windows
> > smartdrv
> > deltree tempor~1
> > deltree history
> > deltree temp
> >
> > Restart (Ctrl-Alt-Del)
> > ____________________________________________________________
> > Mike Burgess  [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
> > Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
file
> > http://www.mvps.org/winhelp2002/hosts.htm [updated 01-31-04]
> > Please post replies to this Newsgroup, email address is invalid
> > --
> >
> >
> > "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message
> > news:uS7xtCP6DHA.3548@TK2MSFTNGP11.phx.gbl...
> > > Hi Mike,
> > >
> > > Your expertise is most welcome.
> > > I'm a little confused by your response though.
> > > The link you pointed me to discusses emptying the Temporary Internet
> File
> > > Folder.
> > > I have used the deltree thing before on computers in the past so I do
> have
> > > experience with that.
> > >
> > > However, this folder is appearing in the Windows Temp folder, not the
> TIF
> > > folder.
> > > If I delete the folder in Explorer it comes back after the next
restart.
> > > I have already cleared EVERYTHING out of the TIF and Cookies folders.
> > > Are you saying I should still do the deltree option on this 98
machine?
> > >
> > > I do appreciate the links.
> > > I won't be able to run the test and post the results until later in
the
> > > week.
> > >
> > > Thanks again for the help and support,
> > > Jeff
> > >
> > >
> > > "Mike Burgess" <winhelp2002@spamthis.com> wrote in message
> > > news:OoZyROE6DHA.3548@TK2MSFTNGP11.phx.gbl...
> > > > Jeff,
> > > > >"Or do I even need to worry at all about them?"
> > > > Yes you need to worry about them!
> > > >
> > > > >"C:\Windows\Temp\vupd"
> > > > That's the first clue ..... empty the "Temp" folder
> > > > http://mvps.org/winhelp2002/delcache.htm#Win98
> > > >
> > > > As Russell suggested, run HijackThis and post your log here:
> > > > [SpyBot Support Forum]
> > > > http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi
> > > > ____________________________________________________________
> > > > Mike Burgess  [MVP Windows Shell\User]
> http://www.mvps.org/winhelp2002/
> > > > Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a
HOSTS
> > file
> > > > http://www.mvps.org/winhelp2002/hosts.htm [updated 01-25-04]
> > > > Please post replies to this Newsgroup, email address is invalid
> > > > --
> > > >
> > > > "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message
> > > > news:OjTfNc15DHA.360@TK2MSFTNGP12.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I hope this is an appropriate place to post this question.
> > > > > I've spent MANY hours cleaning up a computer in the office here
that
> > was
> > > > > proliferated with adware/spyware and a couple of viruses. And yes,
I
> > > > slapped
> > > > > the person silly!
> > > > > It is Windows 98 SE.
> > > > >
> > > > > I updated their McAfee virus DAT files and cleaned the viruses.
> > > > > I installed Spybot Search And Destroy, updated the program, and
then
> > > > > scanned.
> > > > > Good golly they had a ton of stuff!
> > > > > The scanner even said, "Whew, hang on a minute I need a
breather.."
> > <g>
> > > > >
> > > > > Their home page was always being hijacked which was obviously a
> > > tell-tale
> > > > > sign of adware/spyware. They had several kinds. Symantec's removal
> > > > > instructions for one of them was pretty poor. It listed all the
> > registry
> > > > > entries, but it gave no clue as to what they should be changed
back
> > to.
> > > So
> > > > I
> > > > > took some screen shots of my registry and manually made the
changes
> > > back.
> > > > > All seems to be OK now.
> > > > >
> > > > > Several passes of the virus scanner all come clean now.
> > > > > Several passes of Spybot come clean EXCEPT for 2 things every
time.
> > > > >
> > > > > 1. First Issue:
> > > > > It says "NewtonKnows" and lists a folder called:
> > > > > C:\Windows\Temp\vupd
> > > > > I check to fix the problem and it goes away.
> > > > > But, when I restart the machine it is back!
> > > > > If I manually delete it in Explorer it returns again on the next
> > > restart!
> > > > > What's going on?!
> > > > >
> > > > > 2. Second Issue:
> > > > > They had the Look2Me spyware.
> > > > > The removal instructions say to delete a few registry entries, but
> > they
> > > > > return!
> > > > > Specifically:
> > > > > HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FDO631E726}
> > > > > If I delete the key it goes away.
> > > > > Then I close the registry.
> > > > > Open registry back up and IT'S THERE AGAIN!
> > > > > Also sometimes, one of the other registry entries comes back as
> well!
> > > > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
> > > > > Extensions{same number above}
> > > > > I delete it and it comes back!
> > > > >
> > > > > Why do these keep re-appearing?!!
> > > > > And how do I get rid of them?
> > > > > Or do I even need to worry at all about them?
> > > > >
> > > > > Any help would be most appreciated.
> > > > > Jeff
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Internet Explorer Favorites
    ... >i cant find them in the folder, ... AdAware, CWShredder, and Spybot S&D have install routines - run them. ... Spyware Warrior: ... Block possibly dangerous websites with a Hosts file. ...
    (microsoft.public.windowsxp.network_web)
  • Re: cant access localhost or 127.0.0.1
    ... Well localhost is determined in the hosts file. ... and can view the gif files located in the default web folder. ... >> Have you checked that your IIS Service is actually running? ...
    (microsoft.public.inetserver.iis)
  • RE: Error 80240030
    ... In the General tab, click Delete Cookies, Delete Files. ... this folder. ... If a HOSTS file with no extension is found, rename it to HOSTS.OLD. ...
    (microsoft.public.windowsupdate)
  • Re: Cannot access a web page
    ... "Vicky" wrote in message ... Try changing all your promptable security settings to Prompt ... >> folder size to about 50MB and clear it occasionally. ... >> See if skype is in your HOSTS file. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Getting rid of residual adware/spyware elements
    ... Ok, I did the deltree option and deleted the History, Temp, and TIF folders. ... Restarted the machine and immediately went to the TIF folder before doing ... It said I should probably delete the Hosts file. ...
    (microsoft.public.security.virus)
Quantcast