AM, Are you and CC sharing stuff in emails or something? He called me this morning with computer woes. Sounds like you probably have some Malware hanging out on your system.
Warning: The following instructions I'm about to give are for your Windows ME and not other OS's, even though much of the same applies.
Depending on the circumstances what all you use your computer for the best approach may be to backup your data/wipe/reinstall. A clean install is the only 100% guaranteed way to return the computer to a fully functioning state. If the computer is used for anything important I'd do a clean install.
If the above is not a possiblility keep in mind that some malware is very well defended, so it's worth some time and effort to prevent it from running in the first place before trying to remove it.
Preparation:
Disconnect machine from any and all computer networks. Use a PS/2 based mouse and keyboard rather than USB.
Backup:
Make a backup image of your HDD or at a minimum backup your data to CD or other removeablke media.
Backup your registry.
Stop the malware from running:
Boot to Safe Mode with F8.
Ensure Windows Explorer is displaying hidden and system files.
Using a seperate computer that is "clean" download the
AutoRuns program from SysInternals.
Unzip and run the autoruns.exe from removable media (beware of malware with a good name in a bad directory...i.e. real version of winlogon.exe resides in the C:\Windows\system32 directory, but a copy of winlogon.exe in the C:\Windows directory is bad. Or slight spelling errors of a winlogin.exe in the C:\Windows\system32 directory is also bad.
Check the "hosts" file (in C:\WINDOWS) and if it has any entries other than 127.0.0.1, comment them out.
Look for Browser Helper Objects (BHOs) and disable anything you don't recognize. When in doubt disable it, you can always re-enable a BHO later.
Using a seperate computer that is "clean" download
BHOdemon from Definitive Solutions. Since this is larger I'd recommend to burn it to a CD on the "clean computer" and run it from that CD. Go to
here to see what is what..."X" means malware, "L" means benign.
Reboot back into Safe Mode.
Using a seperate computer that is "clean" download the
Process Explorer from SysInternals.
Unzip and run the procexp.exe from removable media to examine all the running programs. For each malware program keep track of the the location of the underlying executable file. Kill each malware process and rename the underlying executable file and if the underlying executable file resides in its own directory rename the directory too. If you can't kill the process, boot to DOS and rename the underlying file from there using basic DOS like cd and ren.
If you went to DOS reboot back into Safe Mode and finish the above or manually inspect by checking the [windows] section of win.ini looking for an entry such as load=spyware.exe and run=spyware.exe, the [boot] section of system.ini looking for an entry such as Shell = explorer.exe spyware.exe, and the autoexec.bat looking for something like c:\spyware.exe.
Sheck for other errors:
Reboot back into Safe Mode.
Run a full Scandisk or Check Disk.
Make another registry backup.
Delete the malware:
Reboot back into Safe Mode.
Remove any programs that you don't know what they are by using Add/Remove Programs in the Control Panel. Also be sure to look for toolbars, helper programs, etc that can also give problems.
I've never seen a computer with so many anti spyware programs installed, but from my experiences I'll bet that they are clashing on some things. Also, be aware that running the usual anti-malware software can create problems when installing MS OS updates, other software installs, and other software updates. I'd think about removing all of them and later you can reinstall the ones you think you need...I like and use Lavasoft's Ad-Aware on my own system, but only install Spybot Search & Destroy if there are problems when cleaning someone's system. I cleaned a system about three weeks ago that was the worst system I've ever seen infected with malware/spyware. It took me three hours to get it all.
Boot normally.
Use the process monitor to check for any malware that might have been auto-started. Anything showing up usually creates a new instance of itself or use other namesand run from different locations at each startup. Note the underlying executable file, reboot to DOS, and rename the file.
Delete all of the following:
- All ActiveX controls (reside in C:\WINDOWS\Downloaded Program Files)
- The web browser cache (Temporary Internet Files)
- Cookies
- web browser history
- Empty recycle bin
- Disable System Restore to delete the old Restore points, then re-enable it and take a new Restore point.
Reboot normally.
Make sure no malware is auto-started at this point.
Look in the IE Trusted Zone and delete any web sites listed (Tools -> Internet Options -> Security Tab -> Trusted Zones -> Sites button).
Look through your IE Favorites and delete anything that looks suspicious.
Change the IE home page to a blank page (Tools -> Internet Options -> General).
Remove any trusted publishers (Tools -> Internet Options -> Content, click the Publishers button)
Get a firewall program up and running. I use and recommend the latest version of Symantec's Norton Standard Edition Internet Security (it has an Anti-Virus included) and is probably what your using already. If you already have a firewall installed review the rules to make sure you know what is allowed to access the network/Internet. If your not sure then uninstall the firewall and do a clean install of the latest version.
Connect your system to the LAN or however you connect to the Internet.
Scan your HDDs with
Housecall from Trend Micro
Scan your HDDs with
Security Check from Symantec.
Download
Lavasoft's Ad-Aware SE Personal and scan the system.
Download
Spybot Search & Destroy and scan the system.
Change the IE home page back to
http://www.professionalsoldiers.com/ 
Prevention:
1st get your programs up to date and setup your programs better:
- run Windows Update manually
- set Windows Update for automatic updates
- adjust IE settings for high security
- lower the size of the IE cache
- lower the size of the System Restore cache
- defrag
- delete TEMP files
- install an anti-virus product and update the software & datafiles
- set anti-virus software for automatic updates
- update other software you use...I use the technical cyber alert system
here, but there is also a non-technical one there.
- Use programs that aren't such large targets as Microsoft products like Firefox browser or Thunderbird email program
2nd learn what is good and what is bad. 99% of programs that are free and not from a reputable company probably have malware included in them. Don't install them! Read the EULA's...99% of them even say in the EULA that they have tracking software included, but most people just click "agree" and they install them. I could go on all day here in this area, but won't because I don't ahve the time after putting this together.
Good luck, Dan
Linear Mode
