Re: Hijacker

From: taff (taff_at_the-valleys.com)
Date: 06/26/04


Date: Sat, 26 Jun 2004 13:14:17 +0100

On Sat, 26 Jun 2004 18:12:51 +0800, "Sandi - Microsoft MVP"
<sandi_hardmeier@mvps.org> wrote:

>Cheryl wrote:
>> I don't understand why it looks like I am runing Windows
>> ME. My computer came with windows XP pro and that is what
>> is listed if I go to My computer and check the About
>> Windows link. Could someone have tampered with the
>> software to make it appear like I am running one when I am
>> really running the other? The OS came preloaded.
>
>I'd be interested to know how she spotted WindowsME as well ;o)
>
Sorry She is a HE, <g> and I noticed
http://www.liutilities.com/products/wintaskspro/processlibrary/wuauclt/
in the log, which is, I believe, the ME auto update manager.

Taff...........

>There are many people who have helped this FAQ improve over time - MVPs and
>newsgroup users. I thank all of you who have made the newsgroups,
>anti-malware websites and dedicated mailing lists into such a wonderful
>resource.
>
>Read the advice at my prevention link
>(http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
>your computer being infected.
>
>IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
>the URL below - some malware can kill your internet connection when it is
>removed, and this software should get things going for you again:
>http://www.cexx.org/lspfix.htm
>
>Also get a copy of WINSOCKFIX available at:
>http://www.spychecker.com/program/winsockxpfix.html
>
>The software you should download and have ready to use is:
>
>AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
>previous versions are NO LONGER SUPPORTED and will not be updated...]
>
>Spybot Search and Destroy - http://spybot.eon.net.au
>
>HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe
>
>CWShredder - http://www.merijn.org/files/CWShredder.exe
>
>IMPORTANT: After obtaining the required software above, make sure you check
>for updates and run the programmes in safe mode.
>
>Malware removal (beginner's guide):
>
>First, go to Control Panel, add/remove programs. Check for malware entries
>and use the uninstall programs, then reboot.
>
>Go to start/run and type MSCONFIG. Go to the startup tab. Disable
>everything that you do not recognise as legitimate (do not disable any power
>profile options).
>
>Now go to the Services tab. Turn on the option to 'hide all Microsoft
>Services'. Disable everything that remains. If you don't have this option,
>don't worry about it.
>
>Reboot your computer and hold down the F8 key until the boot menu options
>appear. Choose Safe Mode as your startup choice. You will find
>information about what safe mode is, and what it does, at this link
>[http://inetexplorer.mvps.org/data/safe_mode.htm]
>
>Start CWSHREDDER. Update it, and fix anything it finds. Reboot back into
>safe mode.
>
>Start AdAware. Use the 'check for updates now' option. After you have
>updated, click 'start'.
>
>Note that when run using default settings, AdAware does not cope with new
>'intelligent' malware. Make the following changes to the default settings.
>
>Use the option 'select drives/folders to scan'. Set AdAware to scan your
>entire hard drive.
>
>Make sure 'activate in depth scan' is enabled.
>
>Select 'use custom scanning options' and then click on the 'customize'
>button. Turn on the following scan options - scan within archives, scan
>active processes, scan registry, deep registry scan, scan [my] IE favorites
>for banned URLs, and scan [my] hosts file.
>
>Use the 'tweak' button. Turn on the following options:
>
>Cleaning engine: 'automatically try to unregister objects prior to
>deletion', 'let windows remove files in use at next reboot', 'delete
>quarantined objects after restoring'.
>
>Scanning engine: 'unload recognized processes during scan'.
>
>After you have finished with AdAware run Spybot to pick up any leftovers.
>Fix anything marked in red. Again, don't forget to check for updates.
>
>Also do the following:
>
>Empty your IE cache and your other temporary file folders, eg: c:\temp,
>c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
>path to your temp folder will change depending on your name) - sometimes
>programmes can be hidden in there - watch out for mysterious *.exe files or
>*.dll files in those folders.
>
>Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>Button}, View Objects, Downloaded Program Files. Check for unrecognised
>objects there.
>
>Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
>sheet chosen (under User Style Sheet - format documents using my style
>sheet). If the option is turned on, turn it OFF.
>
>If the problem comes back, start all over again but with the following
>changes (this section requires advanced computer skills - inexperienced
>users will require assistance):
>
>Examine win.ini using MSCONFIG to see what is loading. You may find
>something there. Go to MSCONFIG and go to the General tab. Turn off
>process win.ini file, load system services and load startup items. Restart
>Windows and run AdAware etc once more.
>
>Use services.msc to see what is running. Some malware is now registering
>itself as a Service. The problem is working out what is legitimate and what
>is not.
>
>I strongly recommend that unless you have strong experience working in this
>area that until such time as I am able to track down a comprehensive list of
>legitimate services (or put one together myself), that you post details of
>the services revealed by services.msc to a microsoft.public newsgroup for
>professional guidance. If you turn off the wrong service you could cause
>serious problems, and at the very worst, leave the computer unbootable.
>
>An experienced computer technician can use programme such as AutoStart
>Viewer for in-depth diagnosis:
>http://www.diamondcs.com.au/index.php?page=asviewer
>
>Another excellent programme for the experienced user is APM (Advanced
>Process Manipulation), available at:
>http://www.diamondcs.com.au/index.php?page=apm
>
>Once the computer is clean, and if it applies to the operating system,
>create a new restore point. The old ones may, of course, be infected with
>the malware and therefore cannot be used. Run disk cleanup to remove old
>restore points (if your operating system has this option you will find it on
>the 'more options' tab of the disk cleanup utility. If the option to remove
>old restore points is not available, stop and restart the restore service
>which will flush out old restore points and prevent accidental reloading of
>malware.
>
>MS have released a limited KB article regarding what they call 'deceptive
>software'.
>http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315
>
>Here is advice specific to:
>
>home page hijackings
>http://inetexplorer.mvps.org/answers.htm#home_page
>
>pop-up ads
>http://inetexplorer.mvps.org/data/popup.htm
>
>search engine hijackings
>http://inetexplorer.mvps.org/answers4.htm#search_engine

www.sounds-pa.com | www.thecomputerworkshop.com



Relevant Pages

  • Re: No Autocomplete.
    ... If you're using Windows XP or Windows 2000, ... even though I have all of my internet option tabs ... The button to restore defaults is ... >>> Also I checked my computer for parasites and malware like ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Nothing Seems To Help
    ... Malware removal: ... Files are hidden by Windows for a very good reason. ... Note that when run using default settings, AdAware does not cope with new ... Run disk cleanup to remove old restore ...
    (microsoft.public.security.virus)
  • Re: adware and spyware pls help
    ... Malware removal: ... Files are hidden by Windows for a very good reason. ... Note that when run using default settings, AdAware does not cope with new ... Run disk cleanup to remove old restore ...
    (microsoft.public.security.virus)
  • Re: Need Help PLEASE/
    ... for updates and run the programmes in safe mode. ... Malware removal: ... Note that when run using default settings, AdAware does not cope with new ... create a new restore point. ...
    (microsoft.public.security.virus)
  • Re: IE5 Exploit Trojan
    ... >>>You've got other malware on your system somewhere. ... >>>for updates and run the programmes in safe mode. ... >>>Note that when run using default settings, AdAware does ... >>>create a new restore point. ...
    (microsoft.public.security.virus)