Malware infection

I never thought it would happen to me but somehow several adware programs
have infiltrated my ME machine. Too many to recite here, but they came from
running a Yahoo music program, I believe. I have run Ad-Aware 6 Personal
build 6.181 and Spybot. Both have been updated to their limits and did what
they could. A Panda Titanium 2005 scan removed 4 viruses but could not
remove the adware because it was an online scan. All that is left is the
stubborn adware. (I removed my Norton AV based on the bad reports here and
was 'tween AV's when this happened) Panda suggested the following:

How to eliminate viruses and other threats completely from the restore
folder.
Click Start.
Select Settings.
Select Control Panel.
Double-click on System.
Select the Performance tab.
Click File System.
Click the Troubleshooting tab.
Enable the Disable System Restore checkbox.
Click Apply.
Disable the Disable System Restore checkbox.
Click Apply.
Save the changes by clicking OK.
The computer will ask you if you want to restart. Do it and when you start
it again, the viruses and other threats detected will disappeared from
_restore folder .
Carry out a full scan of your computer using the antivirus program in order
to ensure that it correctly disinfected.

(I've seen this recommended in this NG before)

Is this what I should do, or 2) a system restore or 3) just get an
AV/malware program and run that? If so, is there a preferred way to install
the AV in the presence of the malware?

I hate being a bozo and realize I was carelessly unsafely browsing. Now
just to get back to where I belong...
Thanks to all.

Bart

From: "Bart"

| I never thought it would happen to me but somehow several adware programs
| have infiltrated my ME machine. Too many to recite here, but they came from
| running a Yahoo music program, I believe. I have run Ad-Aware 6 Personal
| build 6.181 and Spybot. Both have been updated to their limits and did what
| they could. A Panda Titanium 2005 scan removed 4 viruses but could not
| remove the adware because it was an online scan. All that is left is the
| stubborn adware. (I removed my Norton AV based on the bad reports here and
| was 'tween AV's when this happened) Panda suggested the following:
|
| How to eliminate viruses and other threats completely from the restore
| folder.
| Click Start.
| Select Settings.
| Select Control Panel.
| Double-click on System.
| Select the Performance tab.
| Click File System.
| Click the Troubleshooting tab.
| Enable the Disable System Restore checkbox.
| Click Apply.
| Disable the Disable System Restore checkbox.
| Click Apply.
| Save the changes by clicking OK.
| The computer will ask you if you want to restart. Do it and when you start
| it again, the viruses and other threats detected will disappeared from
| _restore folder .
| Carry out a full scan of your computer using the antivirus program in order
| to ensure that it correctly disinfected.
|
| (I've seen this recommended in this NG before)
|
| Is this what I should do, or 2) a system restore or 3) just get an
| AV/malware program and run that? If so, is there a preferred way to install
| the AV in the presence of the malware?
|
| I hate being a bozo and realize I was carelessly unsafely browsing. Now
| just to get back to where I belong...
| Thanks to all.
|
| Bart
|

Ad-aware6 is no longer supported nor updated !
You need Ad-aware SE v1.05.

Please follow the below instructions set...

Download and install Ad-aware SE
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start -- Settings -- Control Panel -- Internet Options -- Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools -- Options -- Privacy -- Cache -- Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

Execute Ad-aware SE and perform a full system scan and have the software clean/delete all
parasites found.

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

In order of preference:

(1) A comprehensive cleaning process, like the one at
http://rgharper.mvps.org/cleanit.htm should be tried first.

(2) If you have a reasonable idea of when the infection started AND it is
not too far in the past (days would be reasonable, weeks would be pushing
it, months would definitely be too far out) you could try a System Restore.

Under no circumstances should you flush the System Restore cache before
cleaning! Never!! Ever!!! If you succeed in cleaning something and your
system winds up trashed because the malware screwed up essential system
files you can at least restore back to your infected-but-working state as
long as you haven't flushed the SR cache. But if you flush it first and
then try cleaning ... you're probably up the creek without a paddle at that
point if the cleaning process goes pear-shaped.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Bart" wrote in message
...
I never thought it would happen to me but somehow several adware programs
have infiltrated my ME machine. Too many to recite here, but they came
from
running a Yahoo music program, I believe. I have run Ad-Aware 6 Personal
build 6.181 and Spybot. Both have been updated to their limits and did
what
they could. A Panda Titanium 2005 scan removed 4 viruses but could not
remove the adware because it was an online scan. All that is left is the
stubborn adware. (I removed my Norton AV based on the bad reports here
and
was 'tween AV's when this happened) Panda suggested the following:

How to eliminate viruses and other threats completely from the restore
folder.
Click Start.
Select Settings.
Select Control Panel.
Double-click on System.
Select the Performance tab.
Click File System.
Click the Troubleshooting tab.
Enable the Disable System Restore checkbox.
Click Apply.
Disable the Disable System Restore checkbox.
Click Apply.
Save the changes by clicking OK.
The computer will ask you if you want to restart. Do it and when you start
it again, the viruses and other threats detected will disappeared from
_restore folder .
Carry out a full scan of your computer using the antivirus program in
order
to ensure that it correctly disinfected.

(I've seen this recommended in this NG before)

Is this what I should do, or 2) a system restore or 3) just get an
AV/malware program and run that? If so, is there a preferred way to
install
the AV in the presence of the malware?

I hate being a bozo and realize I was carelessly unsafely browsing. Now
just to get back to where I belong...
Thanks to all.

Bart

Thanks for the procedure. I did perform the scans as you directed. I did,
however, install Panda's Titanium 2005 AV and Spyware/Adware program and
scanned. It reported several infections and fixed all. However on
subsequent scans with Panda and with at least 3 online scan tools, the
reports were all similar to what your programs scan told me: the various
Trojans and adware infections were in the C:\restore\archive\FS2947 folder,
in the C:\Windows\Temp\cfin folder and in the C:\program files\Spybot-Search
and Destroy\recovery folders. The McAfee report follows.

05/12/2005 19:57:25

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /MIME /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: [MICRONPC]
Scanning C:\*.*
C:\_RESTORE\ARCHIVE\FS2950.CAB\A0077167.CPY ... Found potentially unwanted
program Adware-Websearch.
C:\_RESTORE\ARCHIVE\FS2950.CAB\A0077173.CPY ... Found potentially unwanted
program Adware-Websearch.
C:\_RESTORE\ARCHIVE\FS2950.CAB\A0077197.CPY ... Found potentially unwanted
program Adware-Websearch.
C:\_RESTORE\ARCHIVE\FS2955.CAB\W0110929.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2949.CAB\A0077043.CPY ... Found potentially unwanted
program Adware-Websearch.
C:\_RESTORE\ARCHIVE\FS2949.CAB\A0077121.CPY\00025d 40.EXE ... Found
potentially unwanted program Adware-abetterintrnt.
C:\_RESTORE\ARCHIVE\FS2949.CAB\A0077128.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2949.CAB\A0077130.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2949.CAB\A0077133.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2953.CAB\A0077270.CPY\00025d 40.EXE ... Found
potentially unwanted program Adware-abetterintrnt.
C:\_RESTORE\ARCHIVE\FS2954.CAB\A0077405.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2963.CAB\W0111843.CPY\W01118 43.CPY ... Found the
Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077533.CPY ... Found potentially unwanted
program Adware-abetterintrnt.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077539.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077541.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077542.CPY ... Found potentially unwanted
program Downloader-KL.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077547.CPY ... Found potentially unwanted
program Adware-DFC.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077548.CPY\A00775 48.CPY\0000b470.EXE\0000b4
70.EXE ... Found the Downloader-LG.dll Trojan !!!
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077578.CPY\A00775 78.CPY ... Found
potentially unwanted program Adware-EliteBar.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077581.CPY ... Found potentially unwanted
program Adware-Apropos.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077590.CPY ... Found potentially unwanted
program Adware-Apropos.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077597.CPY ... Found potentially unwanted
program Adware-DealHelper.
C:\_RESTORE\ARCHIVE\FS2960.CAB\A0077613.CPY\A00776 13.CPY ... Found the
Downloader-LG Trojan !!!
C:\_RESTORE\ARCHIVE\FS2956.CAB\A0077456.CPY\A00774 56.CPY ... Found the
Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2956.CAB\A0077458.CPY\A00774 58.CPY ... Found the
Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2956.CAB\A0077459.CPY\A00774 59.CPY\0000b660.EXE\0000b6
60.EXE ... Found potentially unwanted program Adware-EliteBar.
C:\_RESTORE\ARCHIVE\FS2956.CAB\A0077463.CPY\A00774 63.CPY ... Found the
Downloader-LG Trojan !!!
C:\_RESTORE\ARCHIVE\FS2956.CAB\A0077465.CPY\A00774 65.CPY ... Found the
Downloader-XA Trojan !!!
C:\_RESTORE\ARCHIVE\FS2956.CAB\A0077466.CPY\A00774 66.CPY ... Found the
Downloader-LG.dll Trojan !!!
C:\_RESTORE\ARCHIVE\FS2948.CAB\W0110393.CPY ... Found potentially unwanted
program Adware-SAHAgent.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0075636.CPY ... Found the AdClicker-BA
Trojan !!!
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0075923.CPY\A00759 23.CPY ... Found the
Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076233.CPY\000119 68.EXE\00011968.EXE ...
Found the Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076240.CPY\A00762 40.CPY ... Found the
Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076242.CPY\A00762 42.CPY ... Found the
Generic StartPage.c Trojan !!!
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076243.CPY\A00762 43.CPY\0000b660.EXE\0000b6
60.EXE ... Found potentially unwanted program Adware-EliteBar.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076255.CPY ... Found potentially unwanted
program Adware-abetterintrnt.dldr.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076368.CPY\00025d 40.EXE ... Found
potentially unwanted program Adware-abetterintrnt.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076376.CPY ... Found potentially unwanted
program Adware-Apropos.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076379.CPY ... Found potentially unwanted
program Adware-DFC.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076385.CPY ... Found potentially unwanted
program Adware-Websearch.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076402.CPY ... Found potentially unwanted
program Adware-Apropos.
C:\_RESTORE\ARCHIVE\FS2947.CAB\A0076420.CPY ... Found potentially unwanted
program Adware-Websearch.
C:\WINDOWS\TEMP\cfin\cfin ... Found potentially unwanted program Adware-DFC.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 77331
Clean: ................. 77206
Possibly Infected: ..... 13
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

I understand that Ad-Aware SE is very popular, but will it do more than what
Panda did? Since I already owned the program but did not have it installed
before the infection, I thought I would try it. My guess now is that the
infections found by all scans are either residing in the restore folder or
in a "quarantine" folder in Spybot and unable to cause problems unless I
were to restore to that restore date. Now, Mr. Harper has also responded
to my dilemma and prescribed a mode of action which I intend to follow
tomorrow.

Please review and give me your opinion on my status and what any possible
next step should be. I should say that my machine "seem" to be OK now with
no recurring symptoms so far.

Thank you, Mr. Lipman, for your concern and help.

Bart



"David H. Lipman" wrote in message
...
From: "Bart"

| I never thought it would happen to me but somehow several adware
programs
| have infiltrated my ME machine. Too many to recite here, but they came
from
| running a Yahoo music program, I believe. I have run Ad-Aware 6
Personal
| build 6.181 and Spybot. Both have been updated to their limits and did
what
| they could. A Panda Titanium 2005 scan removed 4 viruses but could not
| remove the adware because it was an online scan. All that is left is
the
| stubborn adware. (I removed my Norton AV based on the bad reports here
and
| was 'tween AV's when this happened) Panda suggested the following:
|
| How to eliminate viruses and other threats completely from the restore
| folder.
| Click Start.
| Select Settings.
| Select Control Panel.
| Double-click on System.
| Select the Performance tab.
| Click File System.
| Click the Troubleshooting tab.
| Enable the Disable System Restore checkbox.
| Click Apply.
| Disable the Disable System Restore checkbox.
| Click Apply.
| Save the changes by clicking OK.
| The computer will ask you if you want to restart. Do it and when you
start
| it again, the viruses and other threats detected will disappeared from
| _restore folder .
| Carry out a full scan of your computer using the antivirus program in
order
| to ensure that it correctly disinfected.
|
| (I've seen this recommended in this NG before)
|
| Is this what I should do, or 2) a system restore or 3) just get an
| AV/malware program and run that? If so, is there a preferred way to
install
| the AV in the presence of the malware?
|
| I hate being a bozo and realize I was carelessly unsafely browsing. Now
| just to get back to where I belong...
| Thanks to all.
|
| Bart
|

Ad-aware6 is no longer supported nor updated !
You need Ad-aware SE v1.05.

Please follow the below instructions set...

Download and install Ad-aware SE
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start -- Settings -- Control Panel -- Internet Options -- Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools -- Options -- Privacy -- Cache -- Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart
scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee
Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows
XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running
c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will
automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will
download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is
using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already
executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be
obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

Execute Ad-aware SE and perform a full system scan and have the software
clean/delete all
parasites found.

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer).
It is suggested that you move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Bart"

| Thanks for the procedure. I did perform the scans as you directed. I did,
| however, install Panda's Titanium 2005 AV and Spyware/Adware program and
| scanned. It reported several infections and fixed all. However on
| subsequent scans with Panda and with at least 3 online scan tools, the
| reports were all similar to what your programs scan told me: the various
| Trojans and adware infections were in the C:\restore\archive\FS2947 folder,
| in the C:\Windows\Temp\cfin folder and in the C:\program files\Spybot-Search
| and Destroy\recovery folders. The McAfee report follows.
|
| 05/12/2005 19:57:25
|
| Options:

McAfee CLS snipped


| I understand that Ad-Aware SE is very popular, but will it do more than what
| Panda did? Since I already owned the program but did not have it installed
| before the infection, I thought I would try it. My guess now is that the
| infections found by all scans are either residing in the restore folder or
| in a "quarantine" folder in Spybot and unable to cause problems unless I
| were to restore to that restore date. Now, Mr. Harper has also responded
| to my dilemma and prescribed a mode of action which I intend to follow
| tomorrow.
|
| Please review and give me your opinion on my status and what any possible
| next step should be. I should say that my machine "seem" to be OK now with
| no recurring symptoms so far.
|
| Thank you, Mr. Lipman, for your concern and help.
|
| Bart

Bart:

Please, call me Dave. ;-)

The vast majority were in the System Restore cache. Only one infector was found in the TEMP
folder. Basically your System Restore cache is full of sh!t. If you were to restore to a
previous Restore Point you will get infected. You should use Ad-aware SE and perform an
full scan, deep scan, of the computer. Since you indicate your PC is working OK, it would
definitely be best to dump the cache and then re-enable it. It is my suggestion that you
dump the contents of the System Restore cache by disabling it, rebooting and then
re-enabling it with a cache size from 400~600MB. I would also suggest cleaning the TEMP
folder.

Much of what was found in the System Restore cache were non-viral malware. The rest were
Trojans. McAfee is geared towards viral malware but, as you see, it can find many forms of
malware. Panda is like McAfee, in that it is geared towards viral malware Since McAfee
and Panda are *better* at viruses than adware/spyware it is suggested that you scan using
Ad-aware SE v1.05 -- http://www.lavasoftusa.com/ which is geared for adware/spyware and not
viruses.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave,
I appreciate your modesty as much as I appreciate your assistance.
However, your concern and advice indicate you are certainly worthy of a
"Mister". Thank you.
I will obtain Ad-Aware SE 1.05 and do the deep scans and flush the
System Restore cache and hopefully "get back to where I belong". One
question: With all the maneuvering and ups and downs and stress of using
cleaners and scanners and whatever to remove malware, when is it just as
easy to fdisk/mbr, format and reinstall? The Win9x family tends to get
constipated over time and a colonic, so to speak, seems to be the best
prescription. That way all the detritus that one thinks they need is gone,
and the OS is clean, simple and speedy. I once thought I needed umpteen
fonts and cute little programs that looked nice but did little. One time
down the format avenue and I now use only the basic fonts and store only
*.doc, *.qpw, etc which are backed up anyway. All my pictures are on CD and
any music is burned and jewel-cased. Can this be the best way to go?
K-I-S-S (keep it simple, stupid) is my motto now.
Thanks again. (cold and snowy here in the northern plains of USA, 12
inches of white wet stuff)

Bart


"David H. Lipman" wrote in message
...
From: "Bart"

| Thanks for the procedure. I did perform the scans as you directed. I
did,
| however, install Panda's Titanium 2005 AV and Spyware/Adware program and
| scanned. It reported several infections and fixed all. However on
| subsequent scans with Panda and with at least 3 online scan tools, the
| reports were all similar to what your programs scan told me: the
various
| Trojans and adware infections were in the C:\restore\archive\FS2947
folder,
| in the C:\Windows\Temp\cfin folder and in the C:\program
files\Spybot-Search
| and Destroy\recovery folders. The McAfee report follows.
|
| 05/12/2005 19:57:25
|
| Options:

McAfee CLS snipped


| I understand that Ad-Aware SE is very popular, but will it do more than
what
| Panda did? Since I already owned the program but did not have it
installed
| before the infection, I thought I would try it. My guess now is that
the
| infections found by all scans are either residing in the restore folder
or
| in a "quarantine" folder in Spybot and unable to cause problems unless I
| were to restore to that restore date. Now, Mr. Harper has also
responded
| to my dilemma and prescribed a mode of action which I intend to follow
| tomorrow.
|
| Please review and give me your opinion on my status and what any
possible
| next step should be. I should say that my machine "seem" to be OK now
with
| no recurring symptoms so far.
|
| Thank you, Mr. Lipman, for your concern and help.
|
| Bart

Bart:

Please, call me Dave. ;-)

The vast majority were in the System Restore cache. Only one infector was
found in the TEMP
folder. Basically your System Restore cache is full of sh!t. If you were
to restore to a
previous Restore Point you will get infected. You should use Ad-aware SE
and perform an
full scan, deep scan, of the computer. Since you indicate your PC is
working OK, it would
definitely be best to dump the cache and then re-enable it. It is my
suggestion that you
dump the contents of the System Restore cache by disabling it, rebooting
and then
re-enabling it with a cache size from 400~600MB. I would also suggest
cleaning the TEMP
folder.

Much of what was found in the System Restore cache were non-viral malware.
The rest were
Trojans. McAfee is geared towards viral malware but, as you see, it can
find many forms of
malware. Panda is like McAfee, in that it is geared towards viral malware
Since McAfee
and Panda are *better* at viruses than adware/spyware it is suggested that
you scan using
Ad-aware SE v1.05 -- http://www.lavasoftusa.com/ which is geared for
adware/spyware and not
viruses.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Bart"

| Dave,
| I appreciate your modesty as much as I appreciate your assistance.
| However, your concern and advice indicate you are certainly worthy of a
| "Mister". Thank you.
| I will obtain Ad-Aware SE 1.05 and do the deep scans and flush the
| System Restore cache and hopefully "get back to where I belong". One
| question: With all the maneuvering and ups and downs and stress of using
| cleaners and scanners and whatever to remove malware, when is it just as
| easy to fdisk/mbr, format and reinstall? The Win9x family tends to get
| constipated over time and a colonic, so to speak, seems to be the best
| prescription. That way all the detritus that one thinks they need is gone,
| and the OS is clean, simple and speedy. I once thought I needed umpteen
| fonts and cute little programs that looked nice but did little. One time
| down the format avenue and I now use only the basic fonts and store only
| *.doc, *.qpw, etc which are backed up anyway. All my pictures are on CD and
| any music is burned and jewel-cased. Can this be the best way to go?
| K-I-S-S (keep it simple, stupid) is my motto now.
| Thanks again. (cold and snowy here in the northern plains of USA, 12
| inches of white wet stuff)
|
| Bart

Bart:

Please, call me Dave. I am here to help but I am informal.

If you have *all* your data on backup media then the decision to wipe the hard disk and
reinstall the software is purly your choice. There are some locations you may not have
thought of that should be backed up...

c:\My Documents
c:\WINDOWS\All Users
c:\WINDOWS\Application Data
c:\WINDOWS\Desktop
c:\WINDOWS\Favorites
c:\WINDOWS\Start Menu

If you want to spend the time installing, updating and restoring data that's your decision.
I can't make it for you. However, you should NOT reinstall WinME and all updates without
making sure you have a recent version of anti virus software running and a copy of Ad-aware
SE installed. This will help you to prevent being in this position 6 months or so later
down the road.

I also suggest you read about Safe Hex practices. http://www.claymania.com/safe-hex.html

BTW: You have my sympathies on the weather. Except for a brisk and cool wind coming off
the Atlantic Ocean, it is a beautiful Spring day here on the Jersey shore. { see attached }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

First of all, I apologize for being tardy in replying. It has been a zoo
here.

I went to your site and followed the procedure as you outline it. I can say
to all interested that the procedure is concise and filled with common
sense. I had used Dave's program earlier and with yours I was able to
confirm that the infection has been taken care of. A/V is installed and
updated, Ad-Aware SE is up and running, Spybot has been executed twice and
no trace of any malware is evident. I did purge the System Restore cache
once I was sure my machine was clean. In addition, a firewall was installed
as well.

Thank you for responding to my dilemma and offering great advice. Dumping
the restore would have been disastrous as I was advised from outside this
NG. I can trust you folks to the n-th degree!

Bart

"Richard G. Harper" wrote in message
...
In order of preference:

(1) A comprehensive cleaning process, like the one at
http://rgharper.mvps.org/cleanit.htm should be tried first.

(2) If you have a reasonable idea of when the infection started AND it is
not too far in the past (days would be reasonable, weeks would be pushing
it, months would definitely be too far out) you could try a System
Restore.

Under no circumstances should you flush the System Restore cache before
cleaning! Never!! Ever!!! If you succeed in cleaning something and your
system winds up trashed because the malware screwed up essential system
files you can at least restore back to your infected-but-working state as
long as you haven't flushed the SR cache. But if you flush it first and
then try cleaning ... you're probably up the creek without a paddle at
that
point if the cleaning process goes pear-shaped.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Bart" wrote in message
...
I never thought it would happen to me but somehow several adware programs
have infiltrated my ME machine. Too many to recite here, but they came
from
running a Yahoo music program, I believe. I have run Ad-Aware 6
Personal
build 6.181 and Spybot. Both have been updated to their limits and did
what
they could. A Panda Titanium 2005 scan removed 4 viruses but could not
remove the adware because it was an online scan. All that is left is
the
stubborn adware. (I removed my Norton AV based on the bad reports here
and
was 'tween AV's when this happened) Panda suggested the following:

How to eliminate viruses and other threats completely from the restore
folder.
Click Start.
Select Settings.
Select Control Panel.
Double-click on System.
Select the Performance tab.
Click File System.
Click the Troubleshooting tab.
Enable the Disable System Restore checkbox.
Click Apply.
Disable the Disable System Restore checkbox.
Click Apply.
Save the changes by clicking OK.
The computer will ask you if you want to restart. Do it and when you
start
it again, the viruses and other threats detected will disappeared from
_restore folder .
Carry out a full scan of your computer using the antivirus program in
order
to ensure that it correctly disinfected.

(I've seen this recommended in this NG before)

Is this what I should do, or 2) a system restore or 3) just get an
AV/malware program and run that? If so, is there a preferred way to
install
the AV in the presence of the malware?

I hate being a bozo and realize I was carelessly unsafely browsing. Now
just to get back to where I belong...
Thanks to all.

Bart

I'm glad I was able to help you get your problems cleared up.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Bart" wrote in message
...
First of all, I apologize for being tardy in replying. It has been a zoo
here.

I went to your site and followed the procedure as you outline it. I can
say
to all interested that the procedure is concise and filled with common
sense. I had used Dave's program earlier and with yours I was able to
confirm that the infection has been taken care of. A/V is installed and
updated, Ad-Aware SE is up and running, Spybot has been executed twice and
no trace of any malware is evident. I did purge the System Restore cache
once I was sure my machine was clean. In addition, a firewall was
installed
as well.

Thank you for responding to my dilemma and offering great advice.
Dumping
the restore would have been disastrous as I was advised from outside this
NG. I can trust you folks to the n-th degree!

Bart

"Richard G. Harper" wrote in message
...
In order of preference:

(1) A comprehensive cleaning process, like the one at
http://rgharper.mvps.org/cleanit.htm should be tried first.

(2) If you have a reasonable idea of when the infection started AND it is
not too far in the past (days would be reasonable, weeks would be pushing
it, months would definitely be too far out) you could try a System
Restore.

Under no circumstances should you flush the System Restore cache before
cleaning! Never!! Ever!!! If you succeed in cleaning something and
your
system winds up trashed because the malware screwed up essential system
files you can at least restore back to your infected-but-working state as
long as you haven't flushed the SR cache. But if you flush it first and
then try cleaning ... you're probably up the creek without a paddle at
that
point if the cleaning process goes pear-shaped.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Bart" wrote in message
...
I never thought it would happen to me but somehow several adware
programs
have infiltrated my ME machine. Too many to recite here, but they came
from
running a Yahoo music program, I believe. I have run Ad-Aware 6
Personal
build 6.181 and Spybot. Both have been updated to their limits and did
what
they could. A Panda Titanium 2005 scan removed 4 viruses but could not
remove the adware because it was an online scan. All that is left is
the
stubborn adware. (I removed my Norton AV based on the bad reports here
and
was 'tween AV's when this happened) Panda suggested the following:

How to eliminate viruses and other threats completely from the restore
folder.
Click Start.
Select Settings.
Select Control Panel.
Double-click on System.
Select the Performance tab.
Click File System.
Click the Troubleshooting tab.
Enable the Disable System Restore checkbox.
Click Apply.
Disable the Disable System Restore checkbox.
Click Apply.
Save the changes by clicking OK.
The computer will ask you if you want to restart. Do it and when you
start
it again, the viruses and other threats detected will disappeared from
_restore folder .
Carry out a full scan of your computer using the antivirus program in
order
to ensure that it correctly disinfected.

(I've seen this recommended in this NG before)

Is this what I should do, or 2) a system restore or 3) just get an
AV/malware program and run that? If so, is there a preferred way to
install
the AV in the presence of the malware?

I hate being a bozo and realize I was carelessly unsafely browsing.
Now
just to get back to where I belong...
Thanks to all.

Bart

I congratulate you for having the exceptional good sense to follow Messrs.
Lipman and Harpers' good advice.

Symantec's advice, and that from others, to purge the WinME System Restore
cache, PRIOR to ensuring that the system is running well, amounts to
criminal negligence, IMO.
As Mike M has repeatedly pointed out, SR maybe all that is left with which
to recover, in some particularly bad situations. Throwing out the parachute
before one is on the ground is a sure recipe for disaster.

So, kudos to you, for doing the right thing here, Bart.
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm
In Memorium: Alex Nichol
http://www.microsoft.com/windowsxp/e...ts/nichol.mspx
Your cooperation is very appreciated.
------
"Bart" wrote in message
...
First of all, I apologize for being tardy in replying. It has been a zoo
here.

I went to your site and followed the procedure as you outline it. I can
say
to all interested that the procedure is concise and filled with common
sense. I had used Dave's program earlier and with yours I was able to
confirm that the infection has been taken care of. A/V is installed and
updated, Ad-Aware SE is up and running, Spybot has been executed twice and
no trace of any malware is evident. I did purge the System Restore cache
once I was sure my machine was clean. In addition, a firewall was
installed
as well.

Thank you for responding to my dilemma and offering great advice.
Dumping
the restore would have been disastrous as I was advised from outside this
NG. I can trust you folks to the n-th degree!

Bart

"Richard G. Harper" wrote in message
...
In order of preference:

(1) A comprehensive cleaning process, like the one at
http://rgharper.mvps.org/cleanit.htm should be tried first.

(2) If you have a reasonable idea of when the infection started AND it
is
not too far in the past (days would be reasonable, weeks would be
pushing
it, months would definitely be too far out) you could try a System
Restore.

Under no circumstances should you flush the System Restore cache before
cleaning! Never!! Ever!!! If you succeed in cleaning something and
your
system winds up trashed because the malware screwed up essential system
files you can at least restore back to your infected-but-working state
as
long as you haven't flushed the SR cache. But if you flush it first and
then try cleaning ... you're probably up the creek without a paddle at
that
point if the cleaning process goes pear-shaped.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Bart" wrote in message
...
I never thought it would happen to me but somehow several adware
programs
have infiltrated my ME machine. Too many to recite here, but they
came
from
running a Yahoo music program, I believe. I have run Ad-Aware 6
Personal
build 6.181 and Spybot. Both have been updated to their limits and
did
what
they could. A Panda Titanium 2005 scan removed 4 viruses but could
not
remove the adware because it was an online scan. All that is left is
the
stubborn adware. (I removed my Norton AV based on the bad reports
here
and
was 'tween AV's when this happened) Panda suggested the following:

How to eliminate viruses and other threats completely from the restore
folder.
Click Start.
Select Settings.
Select Control Panel.
Double-click on System.
Select the Performance tab.
Click File System.
Click the Troubleshooting tab.
Enable the Disable System Restore checkbox.
Click Apply.
Disable the Disable System Restore checkbox.
Click Apply.
Save the changes by clicking OK.
The computer will ask you if you want to restart. Do it and when you
start
it again, the viruses and other threats detected will disappeared from
_restore folder .
Carry out a full scan of your computer using the antivirus program in
order
to ensure that it correctly disinfected.

(I've seen this recommended in this NG before)

Is this what I should do, or 2) a system restore or 3) just get an
AV/malware program and run that? If so, is there a preferred way to
install
the AV in the presence of the malware?

I hate being a bozo and realize I was carelessly unsafely browsing.
Now
just to get back to where I belong...
Thanks to all.

Bart