Bill
Wed May 19 10:06:10 CDT 2004
I don't know what to look for in the defrag approach--I'd just suggest
running it and letting you know what happens.
Take a look at the message from rsteel posted to the thread--it looks
promising.
"Gary Roach" <jgroach@NOSPAMcogeco.ca> wrote in message
news:uGZZPcZPEHA.620@TK2MSFTNGP10.phx.gbl...
> I'm doing this for somebody whose computer i don't have access to. i'm
> forwarding suggestions to him. should i suggest the defrag method? i've
> told
> him to try cwshredder in safe mode but haven't heard back from him. if he
> uses the defrag method, would he do it in safe mode? what inidcation would
> he get to indicate that the "culprit" file was in use? you mention other
> methods but the only one i know is from the post that says to use
> find-all.bat. thanks for the help,
>
> gary
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:uXpGPZTPEHA.1160@TK2MSFTNGP09.phx.gbl...
>> Hmm - ought to be easier in 98.
>>
>> Do any of the methods of spotting the "culpret".dll file make any sense
>> to
>> you?
>>
>> It should still show as in use during a defrag or other operation on
> Win98.
>>
>> What I read Mike Burgess' as saying is that the .DLL file is randomly
> named,
>> making it hard to spot.
>>
>> HijackThis, and a post to a spyware forum, maybe with about:blank in the
>> subject header ought to get you some good attention, I'd think.
>>
>> Have you run both Ad-aware--current version and definitions, and
> CWShredder
>> (1.57??) in Safe mode?
>>
>>
>>
>> "Gary Roach" <jgroach@NOSPAMcogeco.ca> wrote in message
>> news:etyoBDTPEHA.3476@tk2msftngp13.phx.gbl...
>> > Bill,
>> >
>> > I saw that post but i think that's for XP. I'm running 98. when i tried
>> > "find-all.bat" i got a bunch of errors and the output.txt file didn't
> list
>> > any infection. i know that i've got CWS-searchx because CWShredder
>> > keeps
>> > reporting it.
>> >
>> > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
>> > news:%23g5FQnSPEHA.2704@TK2MSFTNGP10.phx.gbl...
>> >> I'm going to post two messages here, both from a thread in this same
>> > group,
>> >> and not very far away in time.
>> >>
>> >> The second is from PABear - giving Mike Burgess' (old) recipe for
> removal
>> > of
>> >> about:blank.
>> >>
>> >> However, read Mike Burgess' current advice first:
>>
>>> -------------------------------------------------------------------------
> -
>> > --------------
>> >> PA Bear,
>> >> FYI: the (CWS) infection for "About:Blank" seems to have morphed.
>> >>
>> >> About the only method that seems to work now is to discover the
>> >> culprit
>> >> dll, then install the "Recovery Console", boot to that, then
>> >> "attrib -r -h -s"
>> >> the culprit dll. Then "del <filename>.dll", then clean up the Registry
>> > with
>> >> CWShredder and Ad-Aware ... = PITA!
>> >>
>> >> In some cases you can discover the culprit by running Defrag, there
> will
>> >> be a (culprit dll) filename noted in the log.
>> >> ____________________________________________________________
>> >> Mike Burgess [MVP Windows Shell\User]
>> >>
http://www.mvps.org/winhelp2002/
>> >> Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
>> >> file
>> >>
http://www.mvps.org/winhelp2002/hosts.htm [updated 05-15-04]
>> >> Please post replies to this Newsgroup, email address is invalid
>> >> --
>>
>>> -------------------------------------------------------------------------
> -
>> > -------------------------
>> >>
>> >> PA Bear writes:
>> >>
>> >> [Posted numerous times in this newsgroup:
http://snipurl.com/6hka]
>> >>
>> >> Here is MVP Mike Burgess' fix for CWS.Searchx (a CWS.Aboutblank
> variant):
>> >>
>> >> <paste>
>> >> Ok, here goes ... this is my "How To:" (Hint: print out the below)
>> >>
>> >> [Tools and files needed]
>> >>
>> >> Download: "RepairAppInit.reg" (XP\2K only!)
>> >>
http://www.mvps.org/winhelp2002/RepairAppInit.reg
>> >> Do not do anything with this file yet, it will be needed later.
>> >>
>> >> Download: CWShredder
>> >>
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>> >> Unzip, but do not run it yet, it will be needed later.
>> >>
>> >> Download: Ad-Aware
>> >>
http://www.lavasoft.de/software/adaware/
>> >> Install, but do not run it yet, it will be needed later.
>> >>
>> >> Download: Find-All.zip
>> >>
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
>> >> Unzip, but do not run it yet, it will be needed later.
>> >>
>> >> Download: WINFILE.zip
>> >>
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
>> >> Unzip, but do not run it yet, it will be needed later.
>> >>
>> >> Download: Registrar Lite [freeware]
>> >>
http://www.resplendence.com/download
>> >> Install, but do not run it yet, it will be needed later.
>> >>
>> >> [Step1]
>> >>
>> >> Double-click the included "Find-All.bat" file from Find-All.zip.
>> >> Generates: "output.txt"
>> >> Note: if infected you will see:
>> >>
>> >> Locked file(s) found...
>> >> C:\WINDOWS\System32\<filename> +++ File read error
>> >> Where "<filename>" is the hidden invisable installer.
>> >> Note: "+++ File read error" is not an error, this just identifies the
>> >> culprit.
>> >>
>> >> [Step2]
>> >>
>> >> Run "Registrar Lite" and navigate to:
>> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows]
>> >> Double click on "AppInit_DLLs" entry (right pane)
>> >> The size will likely be something other than "1" (if infected)
>> >> IMPORTANT: Make a note of the filename and location (folder)
>> >>
>> >> [Step3]
>> >>
>> >> Rename the highlighted "Windows" key (left pane)
>> >> To rename: Right-click and select: Rename
>> >> (type) NoWindows
>> >>
>> >>
>> >> Double-click "AppInit_DLLs" again (right pane)
>> >> Clear (delete) the "Value" containing the .dll and click Ok.
>> >>
>> >>
>> >> IMPORTANT: Rename the "NoWindows" key (left pane)
>> >> To rename: Right-click and select: Rename
>> >> (type) "Windows" (no quotes) and close RegLite.
>> >>
>> >> [Step 4]
>> >>
>> >> Using Windows Explorer go to your root drive: (typically) "C:\"
>> >> Click File (up top) select: New > Folder
>> >> (type) "Junk" (no quotes)
>> >>
>> >> Open Winfile
>> >>
>> >> Navigate to System32 folder.
>> >> Click File (up top) select: Move
>> >>
>> >> Copy and paste this into the 'From' box:
>> > C:\WINDOWS\System32\<filename>.dll
>> >> Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
>> >>
>> >> Note: where "<filename>" = culprit dll from "output.txt"
>> >>
>> >> Click OK. Close Winfile
>> >> Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
> file.
>> >>
>> >> At this point see if you can rename the "<filename>.dll"
>> >> Do this several time, changing the name and extension each time.
>> >> Then see if you can "Move" to "A:\" (floppy)
>> >>
>> >> [Step 5]
>> >>
>> >> Locate: "RepairAppInit.reg" right-click and select: Merge
>> >> Ok the prompt
>> >>
>> >> [Step 6]
>> >>
>> >> Open Regedit (Start | Run (type) "regedit" (no quotes)
>> >> Use the Search function for the <filename>.dll
>> >> Click: Edit (up top) select: Find
>> >> (type) <filename>.dll, click: Find Next
>> >>
>> >> Note: where "<filename>" = culprit dll from "output.txt"
>> >>
>> >> Remove all instances found.Press "F3" to continue searching
>> >> until you see the "Completed" message.
>> >>
>> >> Next repeat the above steps, subsitute the "secondary dll"
>> >> From: "text/html" as seen in the "output.txt"
>> >>
>> >>
>> >> [Step 7]
>> >>
>> >> Run CWShredder and reboot.
>> >>
>> >> [Step 8]
>> >> Run Ad-Aware
>> >>
>> >> Reconfigure Ad-Aware for Full Scan:
>> >> Please update the reference file following the instructions here:
>> >>
http://www.lavahelp.com/howto/updref/index.html
>> >>
>> >> Launch the program, and click on the Gear at the top of the start
> screen.
>> >>
>> >> Click the "Scanning" button.
>> >> Under Drives & Folders, select "Scan within Archives".
>> >> Click "Click here to select Drives + folders" and select your
>> >> installed
>> > hard
>> >> drives.
>> >>
>> >> Under Memory & Registry, select all options.
>> >> Click the "Advanced" button.
>> >> Under "Log-file detail", select all options.
>> >> Click the "Tweaks" button.
>> >>
>> >> Under "Scanning Engine", select the following:
>> >> "Include additional Ad-aware settings in logfile" and
>> >> "Unload recognized processes during scanning."
>> >> Under "Cleaning Engine", select the following:
>> >> "Let Windows remove files in use after reboot."
>> >> Click on 'Proceed' to save these Preferences.
>> >> Please make sure that you activate IN-DEPTH scanning before you
> proceed.
>> >>
>> >> After the above post a fresh log ...
>> >> --
>> >>
>> >> Disclaimer: Renaming the "Windows" key modified some security
>> >> settings.
>> >>
>> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows]
>> >>
>> >> Right-click the "Windows" key, select: Permissions
>> >>
>> >> [Example]
>> >> Before renaming the "Windows" key:
>> >>
>> >> "Path"
>> >> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows"
>> >> "Read":
>> >> *"Administrators
>> >> *Power Users
>> >> *Users"
>> >> "Write"
>> >> *"Administrators"
>> >>
>> >> --
>> >> [Example]
>> >>
>> >> After Renaming the key:
>> >>
>> >> "Path"
>> >> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows"
>> >> "Read":
>> >> ***"Everyone"***
>> >> "Write"
>> >> *"Administrators
>> >> --
>> >>
>> >> You need to check that and if 'Everyone' was added (as seen above)
>> >> You need to reset your original settings as follows:
>> >> Note: do this after removing the infection.
>> >>
>> >> Right-click "Windows", select: Permissions
>> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows]
>> >>
>> >> Click Advanced [button]
>> >> If the "inherit permissions" box is checked = Uncheck it.
>> >> Then select "COPY" on the prompt.
>> >>
>> >> Select "Everyone Group" (if listed) and remove. (only the group)
>> >> You can individually view/edit each group settings.
>> >> Be sure "Administrators" and "System" have full control on all.
>> >> Note: Creator owner full control on Sub keys only.
>> >> "Power users" and "users" = "read control".
>> >> </paste>
>> >> --
>> >> HTH - Please Reply to This Thread
>> >>
>> >> ~Robear Dyer (PA Bear)
>> >> MS MVP-Windows (IE/OE), AH-VSOP
>> >>
>> >> AumHa Forums
>> >>
http://forum.aumha.org
>> >>
>> >> What You Should Know About Spyware
>> >>
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx
>> >>
>>
>>> -------------------------------------------------------------------------
> -
>> > --------
>> >> "Gary Roach" <jgroach@NOSPAMcogeco.ca> wrote in message
>> >> news:uupv08QPEHA.1048@tk2msftngp13.phx.gbl...
>> >> > I'm experiencing problems with IE 6 under windows 98. the startup
> page
>> >> > keeps
>> >> > resetting to about:blank which shows a search page with a bunch of
>> >> > categories. i used CWShredder 1.57.0 with up to date patterns to
> clean
>> > up
>> >> > CWS and it said it got rid of the searchx strain. however, the
> problem
>> >> > didn't go away. i tried running CWShredder again and again it
> reported
>> >> > searchx to be present and that it cleaned it up. any idea how to
>> > acutally
>> >> > get rid of it? thanks for any help,
>> >> >
>> >> > gary
>> >> >
>> >> > --
>> >> > Gary Roach
>> >> > ADB Services
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>