Spyware/Worm/Trojan, i just can't work out which.

[Guest]

I find this site particularly helpful and have used in the past and the
advice has always provided me with a solution. However my computer novice
Uncle has managed to very badly damage his (XP) computer. I first suspected
that it was Spyware so downloaded Spybot and others to remove the offending
articles. I thought I had succeded but the computer is still the same. I
did a Norton Virus check and this turned up 4 viruses including Bat.Trojan x2
and W32 Y and X x2. These were delated, Hooray! I thought but again the
computer is running exactly the same. The CPU usage is at 100%, I cannot get
Task Manager, I cannot surf the net (This page cannot be found, constantly),
programmes take about 5 minutes to open. I have tried all the recommended
solutions, I would be grateful for some help.

 

[Guest]

Format c:

 

[Guest]

I'm sorry but I am not blessed with a great deal of computer knowledge
myself. How would this help me?

 

[Dave Jenkins]

Format c:

[snip]

That's really helpful, isn't it?

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt202.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


* * * Please report your results ! * * *

Dave





| I find this site particularly helpful and have used in the past and the
| advice has always provided me with a solution. However my computer novice
| Uncle has managed to very badly damage his (XP) computer. I first suspected
| that it was Spyware so downloaded Spybot and others to remove the offending
| articles. I thought I had succeded but the computer is still the same. I
| did a Norton Virus check and this turned up 4 viruses including Bat.Trojan x2
| and W32 Y and X x2. These were delated, Hooray! I thought but again the
| computer is running exactly the same. The CPU usage is at 100%, I cannot get
| Task Manager, I cannot surf the net (This page cannot be found, constantly),
| programmes take about 5 minutes to open. I have tried all the recommended
| solutions, I would be grateful for some help.

 

[Juan]

Hi chuffy07:

There is no need to format the drive or any other stuff, at most, and only
if after the following, the bug returns, you should disable the system
restore
feature and try again. for your information, and by the symptoms you
describe, it's a CoolWebSearch browser hijacker, there are specific programs
to delete that type of parasite, they are "CWShredder 2.0" (new version
should
do the job) and "CoolWWWSearch SmartKiller MiniRemoval" ....
also "SpywareBlaster" may do the trick. Run the other programs, in Safe
Mode after updating them and with the Internet connection wire disconnected
also stop the hijacker program in Start\Run\msconfig\Start[tab]\uncheck any
suspicious program running here.

Three ways to enable the Taskmanager.
Download and execute the registry edit file, Edit the registry key manually,
or Edit the GPO directive [XP Pro version only] full instructions here:
http://www.mvps.org/sramesh2k/Taskmanager_error.htm
After this, search for the hijacker in the taskmanager and End Process.

CoolWWWSearch SmartKiller MiniRemoval
http://www.spychecker.com/program/miniremovalcw.html
removes CoolWebSearch hijackers.

SpywareBlaster (free)
http://www.javacoolsoftware.com/spywareblaster.html

CWShredder 2.0 http://www.spywareinfo.com/~merijn/
http://www.intermute.com/spysubtract/cwshredder_download.html

A description of the Safe Mode Boot Options in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;315222&Product=winxp

Registry edition removes hijackers, spyware and trojans:
Start\Run\regedit.msc\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
should only have the predetermined alfanumeric value
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-
should only have the predetermined alfanumeric value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run should have the predetermined alfanumeric value and a few other alfa
numeric values set there by the antivirus.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run- should only have the predetermined alfanumeric value.

Unless you have installed program(s) that are set to run at startup,
which would show up here, any other values in any of the four keys
should be considered as malicious and should be deleted, it's
very likely the hijacker.

To avoid unforseen problems, you should allways, when deleting
someting from the registry, backup the appropriate key for later
restorarion if necesary. To backup the key right click on Run or Run-
and select Export, and save to. To restore the key double click the
..reg file and confirm restoration.
If you confirm that you have deleted the parasite from the registry, go and
delete the backed up .reg file.



-------------Original Message--------

 

[ultplyr]

Format c: will wipe out your entire drive. For your information it
erases everything.

 

[David H. Lipman]

Not everything ! Just regular data.
Boot Sector Infectors can still exist after a format or even "FDisk /mbr"

Dave




| Format c: will wipe out your entire drive. For your information it
| erases everything.
|
| > I'm sorry but I am not blessed with a great deal of computer knowledge
| > myself. How would this help me?
| >
| > "Steve W" wrote:
| >
| > > Format c:
| > >
| > > "chuffy07" wrote:
| > >
| > > > I find this site particularly helpful and have used in the past and the
| > > > advice has always provided me with a solution. However my computer novice
| > > > Uncle has managed to very badly damage his (XP) computer. I first suspected
| > > > that it was Spyware so downloaded Spybot and others to remove the offending
| > > > articles. I thought I had succeded but the computer is still the same. I
| > > > did a Norton Virus check and this turned up 4 viruses including Bat.Trojan x2
| > > > and W32 Y and X x2. These were delated, Hooray! I thought but again the
| > > > computer is running exactly the same. The CPU usage is at 100%, I cannot get
| > > > Task Manager, I cannot surf the net (This page cannot be found, constantly),
| > > > programmes take about 5 minutes to open. I have tried all the recommended
| > > > solutions, I would be grateful for some help.