If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
?Unremovable malware, continued 302 kb sys file additions
I have attempted ALL recommended malware/spyware removal
tools- Ad-Aware, hijack this, spybot-- ALL UPDATED- they removed VX2, Look2me,claria, once. hijack this keeps finding auto.search, etc. McAfee security center on, also their virus scan- NONE of these programs finds any other spyware/malware, except the search engines. Downloaded PestPatrol, which also found VX2 and removed it. Pop-ups, and IE search hijackings continued. 302 kb files in WINDOWS/SYSTEM- cannot remove C*gwiz [* is changeable letter]- says in use by Windows. Properties of this file- Nic Tech Networks, 5/5/04. On every restart, another 302 kb file in Windows System, but I was able to remove those a couple of times, but then PC would freeze, had to control-alt-del to restart. Each restart, Windows is 'reconfiguring your start up files'. I was able to open the C*gwiz file- once- and it had much gibberish, but many messages at end- which pop up frequently, plus the Nic Tech Networks info, along with VeriSign and Fawlte certificate information [sorry I didn't copy all this down]. Then- no CD- missing file. Tried to check system resources, and on each tab click, that option disappeared. Tried to restore registry in DOS- "this program cannot run in DOS". Now I cannot start my PC in safe mode, but when desktop appears, cannot use mouse, and it repeatedly attempts to connect to the internet. Started PC with a boot disk- tried to copy SYS C files [command.com. IO.sys, MSDOS.sys] no go- "needed parameters missing". Ran a full scandisk from boot disk- no problems found. Restarted, attempted to make it a safe mode- opened in regular Windows desktop, but mouse is usable again, continued attempts by malware to connect to the internet [which is disconnected for this computer] Tried calling MS virus help line- after receiving sales pitch to upgrade to XP, was cut off twice. Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit security. Current on all updates. |
#2
|
|||
|
|||
?Unremovable malware, continued 302 kb sys file additions
Try reboot to DOS
del c:\windows\system\c?gwiz.* and realize also that the dropper that is creating the c?gwiz.exe executables may not be called c?gwiz -- Adaware http://www.lavasoft.de spybot http://security.kolla.de AVG free antivirus http://www.grisoft.com Panda online AntiVirus scan http://www.pandasoftware.com/ActiveScan/ Catalog of removal tools http://www.pandasoftware.com/download/utilities/ Blocking Unwanted Parasites with a Hosts file http://mvps.org/winhelp2002/hosts.htm links provided as a courtesy, read all instructions on the pages before use Grateful thanks to the authors/webmasters "pjd190" wrote in message ... | I have attempted ALL recommended malware/spyware removal | tools- Ad-Aware, hijack this, spybot-- ALL UPDATED- they | removed VX2, Look2me,claria, once. hijack this keeps | finding auto.search, etc. McAfee security center on, also | their virus scan- | NONE of these programs finds any other spyware/malware, | except the search engines. Downloaded PestPatrol, which | also found VX2 and removed it. Pop-ups, and IE search | hijackings continued. 302 kb files in WINDOWS/SYSTEM- | cannot remove C*gwiz [* is changeable letter]- says in | use by Windows. Properties of this file- Nic Tech | Networks, 5/5/04. On | every restart, another 302 kb file in Windows System, but | I was able to remove those a couple of times, but then | PC would freeze, had to control-alt-del to restart. Each | restart, Windows is 'reconfiguring your start up files'. | I was able to open the C*gwiz file- once- and it had much | gibberish, but many messages at end- which pop up | frequently, plus the Nic Tech Networks info, along with | VeriSign and Fawlte certificate information [sorry I | didn't copy all this down]. Then- no CD- missing file. | Tried to check system resources, and on each tab click, | that option disappeared. Tried to restore registry in DOS- | "this program cannot run in DOS". Now I cannot start my | PC in safe mode, but when desktop appears, cannot use | mouse, and it repeatedly attempts to connect to the | internet. | Started PC with a boot disk- tried to copy SYS C files | [command.com. IO.sys, MSDOS.sys] no go- "needed | parameters missing". Ran a full scandisk | from boot disk- no problems found. Restarted, attempted | to make it a safe mode- opened in regular Windows | desktop, but mouse is usable again, continued attempts by | malware to connect to the internet [which is disconnected | for this computer] | Tried calling MS virus help line- after receiving sales | pitch to upgrade to XP, was cut off twice. | Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit | security. Current on all updates. | |
#3
|
|||
|
|||
?Unremovable malware, continued 302 kb sys file additions
Updated advice on malware follows:
There are many people who have helped this FAQ improve over time - MVPs and newsgroup users. I thank all of you who have made the newsgroups, anti-malware websites and dedicated mailing lists into such a wonderful resource. Read the advice at my prevention link (http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of your computer being infected. IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from the URL below - some malware can kill your internet connection when it is removed, and this software should get things going for you again: http://www.cexx.org/lspfix.htm Also get a copy of WINSOCKFIX available at: http://www.spychecker.com/program/winsockxpfix.html The software you should download and have ready to use is: AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All previous versions are NO LONGER SUPPORTED and will not be updated...] Spybot Search and Destroy - http://spybot.eon.net.au HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe CWShredder - http://www.merijn.org/files/CWShredder.exe IMPORTANT: After obtaining the required software above, make sure you check for updates and run the programmes in safe mode. Malware removal (beginner's guide): First, go to Control Panel, add/remove programs. Check for malware entries and use the uninstall programs, then reboot. Go to start/run and type MSCONFIG. Go to the startup tab. Disable everything that you do not recognise as legitimate (do not disable any power profile options). Now go to the Services tab. Turn on the option to 'hide all Microsoft Services'. Disable everything that remains. If you don't have this option, don't worry about it. Reboot your computer and hold down the F8 key until the boot menu options appear. Choose Safe Mode as your startup choice. You will find information about what safe mode is, and what it does, at this link [http://inetexplorer.mvps.org/data/safe_mode.htm] Start CWSHREDDER, update it and fix anything it finds. Reboot back into safe mode. Start AdAware. Use the 'check for updates now' option. After you have updated, click 'start'. Note that when run using default settings, AdAware does not cope with new 'intelligent' malware. Make the following changes to the default settings. Use the option 'select drives/folders to scan'. Set AdAware to scan your entire hard drive. Make sure 'activate in depth scan' is enabled. Select 'use custom scanning options' and then click on the 'customize' button. Turn on the following scan options - scan within archives, scan active processes, scan registry, deep registry scan, scan [my] IE favorites for banned URLs, and scan [my] hosts file. Use the 'tweak' button. Turn on the following options: Cleaning engine: 'automatically try to unregister objects prior to deletion', 'let windows remove files in use at next reboot', 'delete quarantined objects after restoring'. Scanning engine: 'unload recognized processes during scan'. After you have finished with AdAware run Spybot to pick up any leftovers. Fix anything marked in red. Again, don't forget to check for updates first. Also do the following: Empty your IE cache and your other temporary file folders, eg: c:\temp, c:\windows\temp or C:\Documents and Settings\name\Local Settings\Temp (the path to your temp folder will change depending on your name) - sometimes programmes can be hidden in there - watch out for mysterious *.exe files or *.dll files in those folders. Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Program Files. Check for unrecognised objects there. Go to IE Tools, Internet Options, Accessibility. Make sure there is no style sheet chosen (under User Style Sheet - format documents using my style sheet). If the option is turned on, turn it OFF. If the problem comes back, start all over again but with the following changes (this section requires advanced computer skills - inexperienced users will require assistance): Examine win.ini using MSCONFIG to see what is loading. You may find something there. Go to MSCONFIG and go to the General tab. Turn off process win.ini file, load system services and load startup items. Restart Windows and run AdAware etc once more. Use services.msc to see what is running. Some malware is now registering itself as a Service. The problem is working out what is legitimate and what is not. I strongly recommend that unless you have strong experience working in this area that until such time as I am able to track down a comprehensive list of legitimate services (or put one together myself), that you post details of the services revealed by services.msc to a microsoft.public newsgroup for professional guidance. If you turn off the wrong service you could cause serious problems, and at the very worst, leave the computer unbootable. An experienced computer technician can use programme such as AutoStart Viewer for in-depth diagnosis: http://www.diamondcs.com.au/index.php?page=asviewer Another excellent programme for the experienced user is APM (Advanced Process Manipulation), available at: http://www.diamondcs.com.au/index.php?page=apm Once the computer is clean, and if it applies to the operating system, create a new restore point. The old ones may, of course, be infected with the malware and therefore cannot be used. Run disk cleanup to remove old restore points (if your operating system has this option you will find it on the 'more options' tab of the disk cleanup utility. If the option to remove old restore points is not available, stop and restart the restore service which will flush out old restore points and prevent accidental reloading of malware. MS have released a limited KB article regarding what they call 'deceptive software'. http://support.microsoft.com/default...b;EN-US;827315 Here is advice specific to: home page hijackings http://inetexplorer.mvps.org/answers.htm#home_page pop-up ads http://inetexplorer.mvps.org/data/popup.htm search engine hijackings http://inetexplorer.mvps.org/answers4.htm#search_engine -- _______________________________________ Sandi - Microsoft MVP since 1999 (IE/OE) http://inetexplorer.mvps.org "pjd190" wrote in message ... I have attempted ALL recommended malware/spyware removal tools- Ad-Aware, hijack this, spybot-- ALL UPDATED- they removed VX2, Look2me,claria, once. hijack this keeps finding auto.search, etc. McAfee security center on, also their virus scan- NONE of these programs finds any other spyware/malware, except the search engines. Downloaded PestPatrol, which also found VX2 and removed it. Pop-ups, and IE search hijackings continued. 302 kb files in WINDOWS/SYSTEM- cannot remove C*gwiz [* is changeable letter]- says in use by Windows. Properties of this file- Nic Tech Networks, 5/5/04. On every restart, another 302 kb file in Windows System, but I was able to remove those a couple of times, but then PC would freeze, had to control-alt-del to restart. Each restart, Windows is 'reconfiguring your start up files'. I was able to open the C*gwiz file- once- and it had much gibberish, but many messages at end- which pop up frequently, plus the Nic Tech Networks info, along with VeriSign and Fawlte certificate information [sorry I didn't copy all this down]. Then- no CD- missing file. Tried to check system resources, and on each tab click, that option disappeared. Tried to restore registry in DOS- "this program cannot run in DOS". Now I cannot start my PC in safe mode, but when desktop appears, cannot use mouse, and it repeatedly attempts to connect to the internet. Started PC with a boot disk- tried to copy SYS C files [command.com. IO.sys, MSDOS.sys] no go- "needed parameters missing". Ran a full scandisk from boot disk- no problems found. Restarted, attempted to make it a safe mode- opened in regular Windows desktop, but mouse is usable again, continued attempts by malware to connect to the internet [which is disconnected for this computer] Tried calling MS virus help line- after receiving sales pitch to upgrade to XP, was cut off twice. Presentluy running MS Windows98SE, IE 6.0.28000, 128 bit security. Current on all updates. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Explorer action on double-click | Ivan Bútora | General | 10 | July 21st 04 03:38 PM |
Why is everything saving to notepad? | Lestat | General | 1 | July 18th 04 05:38 AM |
sprder.dll file not found | MSouza | Internet | 1 | June 17th 04 02:21 PM |
Setting file attributes | Richard | General | 3 | June 13th 04 12:32 AM |
Long file name Problem | Canapril | General | 1 | June 12th 04 03:36 AM |