#229415 - 03/08/2004 03:12
Help desperately needed
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
Okay, I've got two problems in one image:
First the smaller [I believe] issue. The search bar has been changed to whatever that is. Anyone recognize it or know how to remove it?
Now a more worrying problem: the startup. As you can see, somehow there are dozens and dozens of HTML lines in the startup. What the heck is going on there? I've run AVG (since Norton, which is installed on this machine, never caught anything), and it removed all the viruses it could find.
The last problem is that every time the computer starts up, the system32 folder opens up again and again. From what I've read of this problem, it's most likely due to the lines in the registry caused be the previous problem. Am I right in that conclusion?
Anyway, I really need help on this. I spent 4 hours cleaning this person's computer (their son had 100 viruses on his computer that AVG found)., and I want to be able to sucessfully finish cleaning it. Thanks in advance.
Attachments
228195-untitled.jpg (95 downloads)
_________________________
Matt
|
Top
|
|
|
|
#229416 - 03/08/2004 03:48
Re: Help desperately needed
[Re: Dignan]
|
old hand
Registered: 15/02/2002
Posts: 1049
|
I would recommend running adaware (lavasoft.com) on this machine. Adaware seems to get rid of most of this kind of spyware, adware BS. After that, you can go after the registry "Run" entries.
FWIW, Jim
|
Top
|
|
|
|
#229417 - 03/08/2004 03:57
Re: Help desperately needed
[Re: Dignan]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
Ick. The first thing I'd do is bring it up in safe mode and disable all the weird start up items. I like the windows startup online repository for finding what should and should not be in the startup. Also, right click Internet Explorer, select properites, and return everything to the defaults on all the tabs, and delete all offline content. Still while in safe mode, flush the temp folder (c:\windows\temp) and empty the trash. Restart, make sure all the windows updates are done. Install and update spybot (ver 1.3 currently I think), immunize and install the tea timer resident piece (under spybot's advanced mode). Then the real fun starts: I google all the odd, recent exe and dll files and folders in: C:\ c:\program files c:\program files\common files c:\windows c:\windows\system(32) and delete like mad and cross my fingers. I go back into the msconfig startup to see what's been put back - resident programs will put entries back as fast as you remove them. The tea timer piece will try to intercept them. About 3/4 of the time this works. Good luck! -jk
|
Top
|
|
|
|
#229418 - 03/08/2004 04:02
Re: Help desperately needed
[Re: jmwking]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
Thanks, that was very helpful. I'll give it all a try tomorrow and hope it works. I'd run AVG, Ad-aware, and Spybot on the machine, and it all found a good amount of stuff, but I understand why I'll have to go through the steps you describe.
When I remove the bad lines from the startup in msconfig, will that also remove the corresponding lines in the registry?
_________________________
Matt
|
Top
|
|
|
|
#229419 - 03/08/2004 04:23
Re: Help desperately needed
[Re: Dignan]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
Quote: When I remove the bad lines from the startup in msconfig, will that also remove the corresponding lines in the registry?
It puts the lines in a different place, so if you check one you shouldn't have, you can undo it. Usually. There's one I came across that replaced a security file of some sort, and I couldn't restart the computer without one or the other. That was one of those 1/4 . I"m more careful googling them now... The registry location varies (naturally) depending on the version of windows.
-jk
|
Top
|
|
|
|
#229420 - 03/08/2004 05:22
Re: Help desperately needed
[Re: Dignan]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Quote: and I want to be able to sucessfully finish cleaning it. Thanks in advance.
I say we dust off and nuke the site from orbit. It's the only way to be sure.
Seriously, if it's been that full of sh*t, who knows how much damage has been done to the OS installation?
_________________________
-- roger
|
Top
|
|
|
|
#229422 - 03/08/2004 12:02
Re: Help desperately needed
[Re: Dignan]
|
enthusiast
Registered: 18/03/2002
Posts: 225
Loc: San Diego, California USA
|
I had a similar problem and it took a combination of Ad-Aware software and also "HiJack This" to remove it. I was having trouble just using Ad-Aware because even though I kept removing it, it kept re-installing itself. HiJack This is a great tool that lets you remove stuff from the start-up or browser start-up...
Those two apps should work for you.....
Good luck, Randy
_________________________
Happy owner of 2 Centrals, 2 Empegs Mk2a 160GB, 1 Empeg Mk2a 60 GB, a Rio Riot, 4 Rio Receivers, and two 1GB iPod Shuffles...
|
Top
|
|
|
|
#229423 - 03/08/2004 18:26
Re: Help desperately needed
[Re: The Central Guy]
|
old hand
Registered: 28/04/2002
Posts: 770
Loc: Los Angeles, CA
|
i've gotten the science of killing spyware down to an art.
install adaware, spybot, googletoolbar, spywareblaster, and hijackthis, reboot
run adaware, spybot's immunization and fix problems, immunize w/ spywareblaster, and then clean up all other signs with hijackthis (odd startups or bhos. best way to tell is if the filename is all weird). using hijackthis is an art in itself, make sure you don't mess up and kill something crucial.
oh, word to the wise... iexplorer should not be running when you start scanning for spyware until you reboot.
|
Top
|
|
|
|
#229424 - 03/08/2004 18:42
Re: Help desperately needed
[Re: Roger]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
Quote: I say we dust off and nuke the site from orbit. It's the only way to be sure.
This would be my suggestion as well, but I don't think they want to do that. This machine is so far in the crapper it's not worth "cleaning," but I got it to the point where it wasn't giving them any crazy error messages, system32 randomly popping up, or odd blank error messages from the Symantec email proxy. Not sure that that was about.
I ended up using Spybot to remove the strange HTML lines from the startup, and as I assumed, the system32 folder stopped popping up.
Anyway, I've got to teach people not to blindly click on stuff. Hell, at least don't install the basic free version of Kazaa.
_________________________
Matt
|
Top
|
|
|
|
|
|