?Unremovable malware, continued 302 kb sys file additions

I have attempted ALL recommended malware/spyware removal
tools- Ad-Aware, hijack this, spybot-- ALL UPDATED- they
removed VX2, Look2me,claria, once. hijack this keeps
finding auto.search, etc. McAfee security center on, also
their virus scan-
NONE of these programs finds any other spyware/malware,
except the search engines. Downloaded PestPatrol, which
also found VX2 and removed it. Pop-ups, and IE search
hijackings continued. 302 kb files in WINDOWS/SYSTEM-
cannot remove C*gwiz [* is changeable letter]- says in
use by Windows. Properties of this file- Nic Tech
Networks, 5/5/04. On
every restart, another 302 kb file in Windows System, but
I was able to remove those a couple of times, but then
PC would freeze, had to control-alt-del to restart. Each
restart, Windows is 'reconfiguring your start up files'.
I was able to open the C*gwiz file- once- and it had much
gibberish, but many messages at end- which pop up
frequently, plus the Nic Tech Networks info, along with
VeriSign and Fawlte certificate information [sorry I
didn't copy all this down]. Then- no CD- missing file.
Tried to check system resources, and on each tab click,
that option disappeared. Tried to restore registry in DOS-
"this program cannot run in DOS". Now I cannot start my
PC in safe mode, but when desktop appears, cannot use
mouse, and it repeatedly attempts to connect to the
internet.
Started PC with a boot disk- tried to copy SYS C files
[command.com. IO.sys, MSDOS.sys] no go- "needed
parameters missing". Ran a full scandisk
from boot disk- no problems found. Restarted, attempted
to make it a safe mode- opened in regular Windows
desktop, but mouse is usable again, continued attempts by
malware to connect to the internet [which is disconnected
for this computer]
Tried calling MS virus help line- after receiving sales
pitch to upgrade to XP, was cut off twice.
Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit
security. Current on all updates.

Try reboot to DOS
del c:\windows\system\c?gwiz.*
and realize also that the dropper that is creating the c?gwiz.exe executables
may not be called c?gwiz

--
Adaware http://www.lavasoft.de
spybot http://security.kolla.de
AVG free antivirus http://www.grisoft.com
Panda online AntiVirus scan http://www.pandasoftware.com/ActiveScan/
Catalog of removal tools http://www.pandasoftware.com/download/utilities/
Blocking Unwanted Parasites with a Hosts file
http://mvps.org/winhelp2002/hosts.htm
links provided as a courtesy, read all instructions on the pages before use
Grateful thanks to the authors/webmasters

"pjd190" wrote in message
...
| I have attempted ALL recommended malware/spyware removal
| tools- Ad-Aware, hijack this, spybot-- ALL UPDATED- they
| removed VX2, Look2me,claria, once. hijack this keeps
| finding auto.search, etc. McAfee security center on, also
| their virus scan-
| NONE of these programs finds any other spyware/malware,
| except the search engines. Downloaded PestPatrol, which
| also found VX2 and removed it. Pop-ups, and IE search
| hijackings continued. 302 kb files in WINDOWS/SYSTEM-
| cannot remove C*gwiz [* is changeable letter]- says in
| use by Windows. Properties of this file- Nic Tech
| Networks, 5/5/04. On
| every restart, another 302 kb file in Windows System, but
| I was able to remove those a couple of times, but then
| PC would freeze, had to control-alt-del to restart. Each
| restart, Windows is 'reconfiguring your start up files'.
| I was able to open the C*gwiz file- once- and it had much
| gibberish, but many messages at end- which pop up
| frequently, plus the Nic Tech Networks info, along with
| VeriSign and Fawlte certificate information [sorry I
| didn't copy all this down]. Then- no CD- missing file.
| Tried to check system resources, and on each tab click,
| that option disappeared. Tried to restore registry in DOS-
| "this program cannot run in DOS". Now I cannot start my
| PC in safe mode, but when desktop appears, cannot use
| mouse, and it repeatedly attempts to connect to the
| internet.
| Started PC with a boot disk- tried to copy SYS C files
| [command.com. IO.sys, MSDOS.sys] no go- "needed
| parameters missing". Ran a full scandisk
| from boot disk- no problems found. Restarted, attempted
| to make it a safe mode- opened in regular Windows
| desktop, but mouse is usable again, continued attempts by
| malware to connect to the internet [which is disconnected
| for this computer]
| Tried calling MS virus help line- after receiving sales
| pitch to upgrade to XP, was cut off twice.
| Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit
| security. Current on all updates.
|

Updated advice on malware follows:

There are many people who have helped this FAQ improve over time - MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a wonderful
resource.

Read the advice at my prevention link
(http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
your computer being infected.

IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm

Also get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

The software you should download and have ready to use is:

AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
previous versions are NO LONGER SUPPORTED and will not be updated...]
Spybot Search and Destroy - http://spybot.eon.net.au
HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe
CWShredder - http://www.merijn.org/files/CWShredder.exe

IMPORTANT: After obtaining the required software above, make sure you check
for updates and run the programmes in safe mode.

Malware removal (beginner's guide):

First, go to Control Panel, add/remove programs. Check for malware entries
and use the uninstall programs, then reboot.

Go to start/run and type MSCONFIG. Go to the startup tab. Disable
everything that you do not recognise as legitimate (do not disable any power
profile options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find
information about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

Start CWSHREDDER, update it and fix anything it finds. Reboot back into
safe mode.

Start AdAware. Use the 'check for updates now' option. After you have
updated, click 'start'.

Note that when run using default settings, AdAware does not cope with new
'intelligent' malware. Make the following changes to the default settings.

Use the option 'select drives/folders to scan'. Set AdAware to scan your
entire hard drive.

Make sure 'activate in depth scan' is enabled.

Select 'use custom scanning options' and then click on the 'customize'
button. Turn on the following scan options - scan within archives, scan
active processes, scan registry, deep registry scan, scan [my] IE favorites
for banned URLs, and scan [my] hosts file.

Use the 'tweak' button. Turn on the following options:

Cleaning engine: 'automatically try to unregister objects prior to
deletion', 'let windows remove files in use at next reboot', 'delete
quarantined objects after restoring'.
Scanning engine: 'unload recognized processes during scan'.

After you have finished with AdAware run Spybot to pick up any leftovers.
Fix anything marked in red. Again, don't forget to check for updates first.

Also do the following:

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\name\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

If the problem comes back, start all over again but with the following
changes (this section requires advanced computer skills - inexperienced
users will require assistance):

Examine win.ini using MSCONFIG to see what is loading. You may find
something there. Go to MSCONFIG and go to the General tab. Turn off
process win.ini file, load system services and load startup items. Restart
Windows and run AdAware etc once more.

Use services.msc to see what is running. Some malware is now registering
itself as a Service. The problem is working out what is legitimate and what
is not.

I strongly recommend that unless you have strong experience working in this
area that until such time as I am able to track down a comprehensive list of
legitimate services (or put one together myself), that you post details of
the services revealed by services.msc to a microsoft.public newsgroup for
professional guidance. If you turn off the wrong service you could cause
serious problems, and at the very worst, leave the computer unbootable.

An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Another excellent programme for the experienced user is APM (Advanced
Process Manipulation), available at:
http://www.diamondcs.com.au/index.php?page=apm

Once the computer is clean, and if it applies to the operating system,
create a new restore point. The old ones may, of course, be infected with
the malware and therefore cannot be used. Run disk cleanup to remove old
restore points (if your operating system has this option you will find it on
the 'more options' tab of the disk cleanup utility. If the option to remove
old restore points is not available, stop and restart the restore service
which will flush out old restore points and prevent accidental reloading of
malware.

MS have released a limited KB article regarding what they call 'deceptive
software'.
http://support.microsoft.com/default...b;EN-US;827315

Here is advice specific to:

home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page

pop-up ads
http://inetexplorer.mvps.org/data/popup.htm

search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine


--
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org

"pjd190" wrote in message
...
I have attempted ALL recommended malware/spyware removal
tools- Ad-Aware, hijack this, spybot-- ALL UPDATED- they
removed VX2, Look2me,claria, once. hijack this keeps
finding auto.search, etc. McAfee security center on, also
their virus scan-
NONE of these programs finds any other spyware/malware,
except the search engines. Downloaded PestPatrol, which
also found VX2 and removed it. Pop-ups, and IE search
hijackings continued. 302 kb files in WINDOWS/SYSTEM-
cannot remove C*gwiz [* is changeable letter]- says in
use by Windows. Properties of this file- Nic Tech
Networks, 5/5/04. On
every restart, another 302 kb file in Windows System, but
I was able to remove those a couple of times, but then
PC would freeze, had to control-alt-del to restart. Each
restart, Windows is 'reconfiguring your start up files'.
I was able to open the C*gwiz file- once- and it had much
gibberish, but many messages at end- which pop up
frequently, plus the Nic Tech Networks info, along with
VeriSign and Fawlte certificate information [sorry I
didn't copy all this down]. Then- no CD- missing file.
Tried to check system resources, and on each tab click,
that option disappeared. Tried to restore registry in DOS-
"this program cannot run in DOS". Now I cannot start my
PC in safe mode, but when desktop appears, cannot use
mouse, and it repeatedly attempts to connect to the
internet.
Started PC with a boot disk- tried to copy SYS C files
[command.com. IO.sys, MSDOS.sys] no go- "needed
parameters missing". Ran a full scandisk
from boot disk- no problems found. Restarted, attempted
to make it a safe mode- opened in regular Windows
desktop, but mouse is usable again, continued attempts by
malware to connect to the internet [which is disconnected
for this computer]
Tried calling MS virus help line- after receiving sales
pitch to upgrade to XP, was cut off twice.
Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit
security. Current on all updates.