I have done all that is suggested- run ad aware, hi-jack
this, spybot-- ALL UPDATED- they removed VX2,
Look2me,once. hijack this keeps finding auto.search,
etc. McAfee security center on, also their virus scan-
NONE of these programs finds any other spyware/malware,
except the search engines. Downloaded PestPatrol, which
also found VX2 and removed it. Pop-ups, and IE search
hijackings continued. 302 kb files in WINDOWS/SYSTEM-
cannot remove C*gwiz [* is changeable letter]- says in
use by Windows. Properties- Nic Tech Networks, 5/5/04. On
every restart, another 302 kb file in Windows System, but
I was able to remove those a coouple of times, but then
PC would freeze, had to control-alt-del to restart. Each
restart, Windows is 'reconfiguring your start up files'.
I was able to open the C*gwiz file- once- and it had much
gibberish, but many messages at end- which pop up
frequently, plus the Nic Tech Networks info, along with
VeriSign and Fawlte certificate information [sorry I
didn't copy all this down]. Then- no CD. Tried to check
system resources, and on each tab click, that op[tion
disappeared. Tried to restore registry in DOS- "this
program cannot run in DOS". Now I cannot start my PC in
safe mode, but when desktop appears, cannot use mouse,
and it repeatedly attempts to connect to the internet.
Started PC with a boot disk- tried to copy SYS C files
[command.com. IO.sys, MSDOS.sys] no go- "needed
parameters missing". I am now running a full scandisk
from boot disk.
Tried calling MS virus help line- after receiving sales
pitch to upgrade to XP, was cut off twice.
Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit
security. Current on all updates.
-----Original Message-----
There are many people who have helped this FAQ improve
over time - MVPs and
newsgroup users. I thank all of you who have made the
newsgroups,
anti-malware websites and dedicated mailing lists into
such a wonderful
resource.
IMPORTANT: Before trying to remove spyware, download a
copy of LSPFIX from
the URL below - some malware can kill your internet
connection when it is
removed, and this software should get things going for
you again:
http://www.cexx.org/lspfix.htm
IMPORTANT: After obtaining the software below, make sure
you check for
updates and then run the programmes in safe mode.
You can go to the link below to check your system for
parasites (supplied by
Doxdesk.com):
http://inetexplorer.mvps.org/parasite.htm
Malware removal (beginners guide):
First, go to Control Panel, add/remove programs. Check
for malware entries
and use the uninstall programs.
Second, get AdAware. [..Warning: AdAware is now version
6.181. All previous
versions are NO LONGER SUPPORTED and will not be
updated...]
AdAware is available at www.lavasoft.de. Make sure you
check for updates
every time you use it.
To be most effective, you must run AdAware while Windows
is in safe mode.
Modern malware uses more than one process, and these
processes are
'co-dependent'. In other words, when one processes
detects that the other
has been shut down, it automatically restarts its
sibling, often using a
different name.
Disable the ability of suspect processes to start
automatically by using
MSCONFIG (startup tab) before booting into safe mode.
Use the information
at the URL below as a guide:
http://www2.whidbey.com/djdenham/Uncheck.htm
Reboot your computer and hold down the F8 key until the
boot menu options
appear. Select 'safe mode'. After you are in safe
mode, check to make sure
the suspect processes did not start up. If they did
start up, we are going
to have to track down *where* they are coming from
before going any further.
An experienced computer technician can use programme
such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer
While still in safe mode, and after you have shut down
as many malware
processes as possible, start AdAware. AdAware, when run
using default
settings, simply does not cope with new 'intelligent'
malware. Make sure
'activate in depth scan' is enabled. Select 'use custom
scanning options'
and then click on the 'customize' button. Turn on the
following scan
options - scan within archives, active processes,
registry (including deep
scan), IE favorites and hosts file. You must also turn
on the following
option via the 'tweak' button:
Cleaning engine: 'automatically try to unregister
objects prior to deletion'
IMPORTANT: Before letting AdAware delete malware, write
down on a piece of
paper exactly where the malware is stored. You will
need to delete those
directories after AdAware has done its work, but ONLY IF
IT IS NOT A
STANDARD WINDOWS DIRECTORY.
After running AdAware, run it again, this time using the
option 'select
drives/folders to scan'. Click on 'select'. Scan your
entire hard drive.
Also do the following:
Empty your IE cache and your other temporary file
folders, eg:
c:\windows\temp (if using Windows 98) or C:\Documents
and
Settings\name\Local Settings\Temp (the path to your
temp folder will
change depending on your name) - sometimes programmes
can be hidden in
there - watch out for mysterious *.exe files or *.dll
files in those
folders.
Go to IE Tools, Internet Options, Temporary Internet
Files {Settings
Button}, View Objects, Downloaded Programme Files. Check
for unusual objects
there.
Go to IE Tools, Internet Options, Accessibility. Make
sure there is no
style sheet chosen (under User Style Sheet - format
documents using my style
sheet). If the option is turned on, turn it OFF.
It is possible to turn off third party extensions
(Enable third-party
browser extensions (requires restart) at IE tools,
internet options,
advanced) to disable *all* plug-ins but troubleshooting
will be difficult
and it is only a BANDAID. Nothing gets fixed. There is
software that
depends on 'third party browser extensions" to work,
including Acrobat,
Microsoft Money, and many other programmes.
Once your computer is clean, and if it applies to your
operating system,
create a new restore point. Your old ones may, of
course, be infected with
the malware and therefore cannot be used. Run disk
cleanup to remove old
restore points (if you operating system has this option
you will find it on
the 'more options' tab of the disk cleanup utility).
If you are still having problems:
You can go to the link below to check your system for
parasites and
hopefully identify your problem (supplied by
Doxdesk.com):
http://inetexplorer.mvps.org/parasite.htm
Download and run the latest version of "Cool Web
Shredder"
http://www.merijn.org/files/CWShredder.exe
The more experienced user can try Spybot. Again, it is a
free programme
which can be downloaded from:
http://spybot.eon.net.au/. Warning: it is NOT
a good programme for the inexperienced. If you want to
use this programme,
please get the advice of those more experienced
before 'fixing' anything
that it finds.
Another excellent programme that allows you to examine
your system and
*create a results log for experts to examine* is
HijackThis, available from:
http://209.133.47.12/~merijn/files/HijackThis.exe
(direct download)
MS have released a limited KB article regarding what
they call 'deceptive
software'.
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;827315
Here is advice specific to:
home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page
pop-up ads
http://inetexplorer.mvps.org/data/popup.htm
search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine
--
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/
BigMig wrote:
An IESEARCH application has been downloaded (unwanted)
from a web site. Every 5 minutes or so it connects my
pc
to the internet. I cannot delete this application
because "it is in use by window". How do I delete this
application
.