Can't type in IE 6 or OE on Win XP Home PC

[Jan Il]

Hi Tony

OK....I wanted you to try the information below first, so, let's see if we
can get this to work.

I found these tips at this site, which you might want to make note of for
future reference, as there are a lot of really good tips here that can come
in handy: http://www.onecomputerguy.com/windowsxp_tips.htm

NOW - try this one and see where we get. This gives you a work around for
the problem you said you had with the CD.

Running SFC without a CD ROM
Added 6/9/04

If you run sfc /scannow and get prompted to insert a CD,
there are a couple of changes you might need to make.

Slipstream your copy of WindowsXP with the latest service pack you have
applied.
For detailed instructions on how to do this see:

SlipStreaming a Service Pack into Windows XP
http://www.onecomputerguy.com/install/winxp_slipstream.htm

Once these files are on your hard drive, you can simply make a few registry
changes to point to those locations.

Start Regedit

Go to the follow locations and change the path to wherever you copied the
source files.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePa
ckSourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePat
h
the last one might not be necessary
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath

If that does not work, try this next:

Yes, it might very well be part of the over all. The 'stop cryptsvc' issue.
You try the information here too.
http://www.updatexp.com/cryptographic-service.html
Restore CryptSvc (Cryptographic Service)
http://www.kellys-korner-xp.com/regs_edits/cryptsvc.reg
http://www.theeldergeek.com/cryptographic_services.htm

If you need to replace the mshtmler.dll file, go here and scroll down to
find it and then download it and install. This file may have become
corrupted, if the other things don't work, then try this.
http://www.dlldump.com/cgi-bin/dlldownload.cgi?path=dllfiles/M

This is the information I have been able to find thus far, so let's see how
we do with this. Let me know how you do.

Hope this helps.

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Tony]

comments inserted

.... lots of different repair / reinstall options snipped ...

Jan II, I think I may have run across a post that has solved my problem. I
was just short of doing a "corrective" reinstall of XP Pro to fix my loss of
text box usability in IE6 SP1. You may recall I tried (with no success,
which I still haven't figured out) to force via various tricks a reinstall
of IE6 itself. So, I was going to toss in the XP Pro CD when I ran across a
post on this NG from someone who was having trouble - not like mine, but
close enough to make me want to read the thread. I went to this site

http://www.infinisource.com/techfiles/surf-safe.html

As I read it, it occurred to me that my problem may in fact have been
related to recent (within the last 6 months) customization of my Internet
Security settings. I had previously had a Custom security profile, but some
random post from several months ago caused me to tweak it. I honestly can't
remember what it was I tweaked. Well, the combination of my old setting plus
that last set of changes appears to have been responsible (somehow). After
following the recommendations on this site I seem to be quite back to
normal.

I still haven't been able to figure out why I could not get IE6 to reinstall
(although I never got around to trying one or two of the suggestions), but
I'm willing to let that go for now.

So it appears there is at least one combination of Security settings on IE6
SP1 that produces a less than completely stable browser environment.

 

[PA Bear]

Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

 

[Tony]

PA Bear, the original thread shows that I went through of all the standard
recommendations which show up here (including all those you've listed).
There was and is no spyware / shredder / malware / fill-in-the-blank-ware on
my system. In this case the stock actions had no relevance. That's why I was
at the stage of trying a reinstall of IE6 and then a refresh installation of
XP Pro. My guess is the reinstall of IE6 would have eventually worked had I
followed the dozen or so different steps to try and get it to work. Gotta
love MS for making a core component of its OS virtually unrepairable.

Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

... lots of different repair / reinstall options snipped ...

Jan II, I think I may have run across a post that has solved my problem. I
was just short of doing a "corrective" reinstall of XP Pro to fix my loss
of text box usability in IE6 SP1. You may recall I tried (with no success,
which I still haven't figured out) to force via various tricks a reinstall
of IE6 itself. So, I was going to toss in the XP Pro CD when I ran across
a post on this NG from someone who was having trouble - not like mine, but
close enough to make me want to read the thread. I went to this site

http://www.infinisource.com/techfiles/surf-safe.html

As I read it, it occurred to me that my problem may in fact have been
related to recent (within the last 6 months) customization of my Internet
Security settings. I had previously had a Custom security profile, but
some random post from several months ago caused me to tweak it. I
honestly can't remember what it was I tweaked. Well, the combination of
my old setting plus that last set of changes appears to have been
responsible (somehow). After following the recommendations on this site I
seem to be quite back to normal.

I still haven't been able to figure out why I could not get IE6 to
reinstall (although I never got around to trying one or two of the
suggestions), but I'm willing to let that go for now.

So it appears there is at least one combination of Security settings on
IE6 SP1 that produces a less than completely stable browser environment.

 

[PA Bear]

Hi, Tony. I've been following this thread since it began earlier this
month. Reinstalling IE won't make a bit of difference if malware is still
present on your machine (and your problem is 99.9% certain to be
malware-related, a recent CoolWebSearch variant, most likely).

IE Tools>Internet Options>General>Accessibility> Is anything enabled here?
Did you enable it?

IE Tools>Internet Options>Advanced>Browsing>Enable third party browser
extentions (unchecked?)

Do you or did you have any P2P file sharing apps installed? How about
"free" toolbars?

You piggy-backed onto a thread begun by another poster to which a talented
MVP (Doug Varnau), familiar with hijackware, had responded. Did you see his
post? You appear to have take only a few of his thorough and explicit
suggestions.

...I have been
through the entire mantra that the experts here suggest: AdAware,
Spybot, CWShredder, Virus Scan, Hijack This, etc. Not one thing was
found. I even did the mshtmler.dll replacement. I was left twisting
in the wind. Apparently there's not a lot to suggest beyond the usual
things that seem to appear in this ng.

Did you seek updates for CWShredder, Ad-aware and Spybot v1.3 before using
them each & every time (even "right of the box" new), and run them in that
exact order? Have you updated and run them since 03 July-04? Have you
enabled 'Show Hidden Files' before running them? Have you scanned with
these tools in Safe Mode? Has Ad-aware been reconfigured for a full custom
scan per http://aumha.org/forum/viewtopic.php?t=5877?

Have you posted your HijackThis log to an appropriate forum for
interpretation by the pros? HijackThis doesn't fix anything on its own and
there's a fairly steep learning curve associated with knowing what the good
and bad guys are. (If you have posted your log somewhere, please provide a
link to the thread/forum.)

Are your anti-virus application's definitions updated daily, followed by a
full system scan (also daily)? AFAIK, you haven't yet run a full system
scan in Safe Mode (see http://aumha.org/forum/viewtopic.php?t=5878).

Furthermore, you're missing several critical security updates at Windows
Update (though I wouldn't install updates until you get this malware problem
sorted).

Why can't I download [from Windows Update]?
http://www.kellys-korner-xp.com/top10faqs.htm
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

What You Should Know About Spyware
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx

PA Bear, the original thread shows that I went through of all the standard
recommendations which show up here (including all those you've listed).
There was and is no spyware / shredder / malware / fill-in-the-blank-ware
on my system. In this case the stock actions had no relevance. That's why
I was at the stage of trying a reinstall of IE6 and then a refresh
installation of XP Pro. My guess is the reinstall of IE6 would have
eventually worked had I followed the dozen or so different steps to try
and get it to work. Gotta love MS for making a core component of its OS
virtually unrepairable.

Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before
each and every use, even "right out of the box". But even they can't
catch everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the
preferred tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/
or http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not
here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--

comments inserted

Hi Tony

Instead of a reinstall, try the information below and see if a repair
will help.

Repair Internet Explorer

For XP Repair of IE -

Be sure that your AV and firewall is disabled before starting:

How to Reinstall or Repair Internet Explorer and Outlook Express in
Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318378

Courtesy of Robert Aldwinckle

XP users who have installed IE6sp1 before upgrading to XPsp1
will have setupwbv.dll and will be able to do a repair using

rundll32 setupwbv.dll,IE6Maintenance

Otherwise, they have to use

sfc /scannow

etc., or reinstall IE6 (Ref: KB318378)

or......................


... lots of different repair / reinstall options snipped ...

Jan II, I think I may have run across a post that has solved my
problem. I was just short of doing a "corrective" reinstall of XP Pro
to fix my loss of text box usability in IE6 SP1. You may recall I tried
(with no success, which I still haven't figured out) to force via
various tricks a reinstall of IE6 itself. So, I was going to toss in
the XP Pro CD when I ran across a post on this NG from someone who was
having trouble - not like mine, but close enough to make me want to
read the thread. I went to this site

http://www.infinisource.com/techfiles/surf-safe.html

As I read it, it occurred to me that my problem may in fact have been
related to recent (within the last 6 months) customization of my
Internet Security settings. I had previously had a Custom security
profile, but some random post from several months ago caused me to
tweak it. I honestly can't remember what it was I tweaked. Well, the
combination of my old setting plus that last set of changes appears to
have been responsible (somehow). After following the recommendations on
this site I seem to be quite back to normal.

I still haven't been able to figure out why I could not get IE6 to
reinstall (although I never got around to trying one or two of the
suggestions), but I'm willing to let that go for now.

So it appears there is at least one combination of Security settings on
IE6 SP1 that produces a less than completely stable browser environment.

 

[Tony]

As there are many points here, I will respond with inserted comments...

Hi, Tony. I've been following this thread since it began earlier this
month. Reinstalling IE won't make a bit of difference if malware is still
present on your machine (and your problem is 99.9% certain to be
malware-related, a recent CoolWebSearch variant, most likely).

IE Tools>Internet Options>General>Accessibility> Is anything enabled here?
Did you enable it?

No and no.

IE Tools>Internet Options>Advanced>Browsing>Enable third party browser
extentions (unchecked?)

Unchecked.

Do you or did you have any P2P file sharing apps installed? How about
"free" toolbars?

No and at one time yes. Many months ago I had some add-on toolbar show up,
but I got rid of it with the combination of tools listed here (I also
checked the Registry to make sure it was removed from the usual keys like
Run and Run Once). Had not shown up since.

You piggy-backed onto a thread begun by another poster to which a talented
MVP (Doug Varnau), familiar with hijackware, had responded. Did you see his
post? You appear to have take only a few of his thorough and explicit
suggestions.

While I only generically indicated what I did here, I did in fact follow all
of his suggestions.

Did you seek updates for CWShredder, Ad-aware and Spybot v1.3 before using
them each & every time (even "right of the box" new), and run them in that
exact order? Have you updated and run them since 03 July-04? Have you
enabled 'Show Hidden Files' before running them? Have you scanned with
these tools in Safe Mode? Has Ad-aware been reconfigured for a full custom
scan per http://aumha.org/forum/viewtopic.php?t=5877?

Yes.

CWShredder just run. Came up completely clean.

Adaware just run. 14 tracking cookies (all of which I recognize) and 5
redirected hosts file entries, which other sites indicate is sometimes
incorrectly identified by Adaware. BTW, I am using the hosts file from
http://www.mvps.org/winhelp2002/

Spybot found the same tracking cookies as Adaware, and also 5 DSO Exploits,
of the form

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

As you can see from this example I fixed them.

Have you posted your HijackThis log to an appropriate forum for
interpretation by the pros? HijackThis doesn't fix anything on its own and
there's a fairly steep learning curve associated with knowing what the good
and bad guys are. (If you have posted your log somewhere, please provide a
link to the thread/forum.)

Yes. Nothing found.

Are your anti-virus application's definitions updated daily, followed by a
full system scan (also daily)? AFAIK, you haven't yet run a full system
scan in Safe Mode (see http://aumha.org/forum/viewtopic.php?t=5878).

Yes. Although I have my full scal set to once per week (hasn't found
anything in a long, long time).

Furthermore, you're missing several critical security updates at Windows
Update (though I wouldn't install updates until you get this malware problem
sorted).

Yes, I know. I wanted to resolve this problem before doing this.

I would appreciate getting some insight as to why you are so sure it's
malware of some kind. The posts on this NG which tend to be traced back to
xxx-ware all seem to be things that many people are posting about (which
makes sense). In all the time I've been looking here (and other IE
newsgroups) I've only seen my exact problem posted three times... twice by
me! Given that my indicated actions have made this problem go away (and not
come back even without any further CW / Ad / Spy etc efforts until I just
ran them again), why do you not conclude that in fact there may have been a
combination of settings that may have been responsible for this? (I'm not
poking you with a stick, I'd like to know)

 

[Tony]

One thing: I did everything except the Trusted Root Certificates (there is
nothing in my Trusted Publishers list). When I saw the list I was hesitant
to delete any of them, as it is not clear who they belong to. However, no
one noticed anything odd in this area on HijackThis.

 

[PA Bear]

Please:

- confirm that you've sought updates for Ad-aware and Spybot before
using them each time;

- confirm you are running Spybot v1.3;

- confirm that you've reconfigured Ad-aware per
http://aumha.org/forum/viewtopic.php?t=5877;

- confirm that you've run both Ad-aware and Spybot in Safe Mode after
first having enabled "Show Hidden Files";

- confirm that you've updated virus definitions (manually, if
necessary), enabled "Show Hidden Files" and ran a full system scan with your
AV app;

- confirm that you've run at least two (2) of the free online scans
found listed at http://aumha.org/secure.php#freeav (NB: one of them *must*
be Panda's!)

- post the URL for the forum thread where you posted your HijackThis log
(and if they didn't have you enable "Show Hidden Files" and run HT in Safe
Mode, do so and post back to the thread. (You may reference this IE6
Browser thread and my post.)

[Is this it?... http://forums.spywareinfo.com/index.php?showtopic=8784 ]

Do you or did you have any ["free" toolbars] installed?

[At] one time yes.

What was it?

Spybot found ...5 DSO Exploits

Assuming your homepage and default Search choices are what you want them to
be and are working properly, you may consider these DSO exploits a known and
much-discussed bug. You may configure Spybot to ignore them in further
scans.

...I have my full [AV scan] set to once per week

That scenario is simply insufficient anymore, Tony. Configure your AV to
seek definitions at least once a day (Some IT pros have chosen hourly!), at
a time when the machine is booted up and connected to the 'net. Then
configure it to run a full system scan about five minutes or so after
seeking and installing updates, also daily.

In all the time I've been looking here (and other IE
newsgroups) I've only seen my exact problem posted three times

Tony, I've read, re-read, reviewed and re-reviewed [Quiet, Jan! <wink>] all
of your posts in the original thread (http://snipurl.com/81fo) and here.
You have never stated "your exact problem" in either thread. You only made
a "Me, too" reply to OP Steve's post. Please do not consider this an attack
on you. The fact that you didn't clearly state *your* problem (and what
you'd done so far to solve it) is what caused me to "lurk in the background"
for the past month. I suspect others who may have been able to help also
chose to ignore this thread (and the original) for the very same reason
(though Jan's done an admirable job so far and kudos to her for jumping into
the fray).

I would appreciate getting some insight as to why you are so sure it's
malware of some kind...

The inablity to type in IE text boxes (and in OE) was one of the very first
"hijackings" we saw, dating back to December 2002 IIRC. It was caused
(then) by a still-nasty, still around POS called Xupiter. There are so many
new types of hijackware, new variants of known ones, and exploits used to
install them, that we simply cannot keep up with them all (which is prolly
the intent of the a**holes who're writing and foisting this stuff on mostly
unsuspecting users).

I respectfully suggest you (1) enable "Show Hidden Files" (and leave it that
way), (2) update virus definitions and run a full system scan in Safe Mode,
(3) update & run Ad-aware and Spybot (in that order and per all of the
above) once again, then (4) update and run HijackThis again (in Safe Mode),
saving your log.

Then go to http://forums.aumha.org and Register. Sign in and post your new
log to a new thread in http://forum.aumha.org/viewforum.php?f=30. Some of
the best hijackware mavens are working there, including MVPs Mike Burgess
(WinHelp2002 in http://forums.spywareinfo.com/index.php?showtopic=8784),
Siljaline, and the inimitable TonyKlein. Again, you may reference this
thread in your post.

Please do *not* insert your replies inline, it's simply too confusing.

Please do not change the subject of a thread; doing so disassociates your
post and replies to it from the original thread.

Please include all of the previous message in your replies.
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

 

[Tony]

Okay. Sorry it took so long to get back to you. I've been distracted by real
work! As you do not want me to insert responses I will have to respond here
point by point. In addition, I will top post to be consistent with your
response methods.

Updates to both programs installed

Ad-aware reconfiguration confirmed

I have never kept a Windows configuration with files Hidden, so that is not
an issue. In any event, both programs were run in Safe mode. Both found the
same stuff I listed below (as when they were run in a regular instance).

I ran RAV and Panda. They both found old stuff in Zip files that were in a
Deleted Items folder from an email account I haven't used since 2002. On an
F: drive. Before jumping on that, I'll say that I don't open anything I get
in an attachment unless I already know what it is (i.e., I'm expecting it).

Yes, that is the HijackThis thread. As indicated earlier, I don't operate my
system with Hidden Files, so it was run in Show mode. It was not run in Safe
Mode. I can do that.

I really don't remember which toolbar I had pop up in my Browser. All I
remember is that I first deleted its entry from the Run key in the Registry,
and then ran every correction tool I had. It went away.

I appreciate what you wrote about AV updating (I use McAfee). I run a fairly
controlled computing environment at home. Only myself and my wife. My wife
uses it only for email and browsing. I use it for that and work and digital
imaging. Neither of us spends a whole lot of time looking for weird new
stuff on the Web. Neither one of us even bother to look at mail if we don't
know who it came from (even the ones from Microsoft Security from a few
months ago :>). I also don't install random stuff for no reason. My system
runs 24/7 on a cable modem behind a switch with NAT and SPI, and with XP
Pro's firewall enabled. I also use another software firewall (Conseal PC
Firewall). With my AV updating weekly I have not had any attack on my system
since the toolbar incident (which is not a virus, per se). If you go
strictly by the definition of a virus I have no recollection of the last
time my system was affected. And yes I have run any number of on-line
firewall testers. My system comes up as Stealthy or Invisible.

I have listed my problem in the past in another thread. The reason why I
jumped in on Steve's is that it seemed like there was some action in his
thread that might help. Try this one

http://groups.google.com/[email protected]&rnum=16

watch out for the overlap.

I will try your 2-4 steps listed below again (1 is already taken care of),
and see what comes up.

Please:

- confirm that you've sought updates for Ad-aware and Spybot before
using them each time;

- confirm you are running Spybot v1.3;

- confirm that you've reconfigured Ad-aware per
http://aumha.org/forum/viewtopic.php?t=5877;

- confirm that you've run both Ad-aware and Spybot in Safe Mode after
first having enabled "Show Hidden Files";

- confirm that you've updated virus definitions (manually, if
necessary), enabled "Show Hidden Files" and ran a full system scan with your
AV app;

- confirm that you've run at least two (2) of the free online scans
found listed at http://aumha.org/secure.php#freeav (NB: one of them *must*
be Panda's!)

- post the URL for the forum thread where you posted your HijackThis log
(and if they didn't have you enable "Show Hidden Files" and run HT in Safe
Mode, do so and post back to the thread. (You may reference this IE6
Browser thread and my post.)

[Is this it?... http://forums.spywareinfo.com/index.php?showtopic=8784 ]

Do you or did you have any ["free" toolbars] installed?

[At] one time yes.

What was it?

Spybot found ...5 DSO Exploits

Assuming your homepage and default Search choices are what you want them to
be and are working properly, you may consider these DSO exploits a known and
much-discussed bug. You may configure Spybot to ignore them in further
scans.

...I have my full [AV scan] set to once per week

That scenario is simply insufficient anymore, Tony. Configure your AV to
seek definitions at least once a day (Some IT pros have chosen hourly!), at
a time when the machine is booted up and connected to the 'net. Then
configure it to run a full system scan about five minutes or so after
seeking and installing updates, also daily.

In all the time I've been looking here (and other IE
newsgroups) I've only seen my exact problem posted three times

Tony, I've read, re-read, reviewed and re-reviewed [Quiet, Jan! <wink>] all
of your posts in the original thread (http://snipurl.com/81fo) and here.
You have never stated "your exact problem" in either thread. You only made
a "Me, too" reply to OP Steve's post. Please do not consider this an attack
on you. The fact that you didn't clearly state *your* problem (and what
you'd done so far to solve it) is what caused me to "lurk in the background"
for the past month. I suspect others who may have been able to help also
chose to ignore this thread (and the original) for the very same reason
(though Jan's done an admirable job so far and kudos to her for jumping into
the fray).

I would appreciate getting some insight as to why you are so sure it's
malware of some kind...

The inablity to type in IE text boxes (and in OE) was one of the very first
"hijackings" we saw, dating back to December 2002 IIRC. It was caused
(then) by a still-nasty, still around POS called Xupiter. There are so many
new types of hijackware, new variants of known ones, and exploits used to
install them, that we simply cannot keep up with them all (which is prolly
the intent of the a**holes who're writing and foisting this stuff on mostly
unsuspecting users).

I respectfully suggest you (1) enable "Show Hidden Files" (and leave it that
way), (2) update virus definitions and run a full system scan in Safe Mode,
(3) update & run Ad-aware and Spybot (in that order and per all of the
above) once again, then (4) update and run HijackThis again (in Safe Mode),
saving your log.

Then go to http://forums.aumha.org and Register. Sign in and post your new
log to a new thread in http://forum.aumha.org/viewforum.php?f=30. Some of
the best hijackware mavens are working there, including MVPs Mike Burgess
(WinHelp2002 in http://forums.spywareinfo.com/index.php?showtopic=8784),
Siljaline, and the inimitable TonyKlein. Again, you may reference this
thread in your post.

Please do *not* insert your replies inline, it's simply too confusing.

Please do not change the subject of a thread; doing so disassociates your
post and replies to it from the original thread.

Please include all of the previous message in your replies.
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

As there are many points here, I will respond with inserted comments...



No and no.

No and at one time yes. Many months ago I had some add-on toolbar show up,
but I got rid of it with the combination of tools listed here (I also
checked the Registry to make sure it was removed from the usual keys like
Run and Run Once). Had not shown up since.

While I only generically indicated what I did here, I did in fact follow
all of his suggestions.


Yes.

CWShredder just run. Came up completely clean.

Adaware just run. 14 tracking cookies (all of which I recognize) and 5
redirected hosts file entries, which other sites indicate is sometimes
incorrectly identified by Adaware. BTW, I am using the hosts file from
http://www.mvps.org/winhelp2002/

Spybot found the same tracking cookies as Adaware, and also 5 DSO
Exploits, of the form

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

As you can see from this example I fixed them.

Yes. Nothing found.


Yes. Although I have my full scal set to once per week (hasn't found
anything in a long, long time).

Yes, I know. I wanted to resolve this problem before doing this.

I would appreciate getting some insight as to why you are so sure it's
malware of some kind. The posts on this NG which tend to be traced back to
xxx-ware all seem to be things that many people are posting about (which
makes sense). In all the time I've been looking here (and other IE
newsgroups) I've only seen my exact problem posted three times... twice by
me! Given that my indicated actions have made this problem go away (and
not come back even without any further CW / Ad / Spy etc efforts until I
just ran them again), why do you not conclude that in fact there may have
been a combination of settings that may have been responsible for this?
(I'm not poking you with a stick, I'd like to know)

 

[Tony]

Sorry. I stopped using Conseal after I had a heck of a time trying to get it
to work properly under XP Pro (I used it for years in Win98 and 98SE), and
once I figured out how to work with XP Pro's own firewall (even though it
does not yet do much for outbound activity).

Okay. Sorry it took so long to get back to you. I've been distracted by real
work! As you do not want me to insert responses I will have to respond here
point by point. In addition, I will top post to be consistent with your
response methods.

Updates to both programs installed

Ad-aware reconfiguration confirmed

I have never kept a Windows configuration with files Hidden, so that is not
an issue. In any event, both programs were run in Safe mode. Both found the
same stuff I listed below (as when they were run in a regular instance).

I ran RAV and Panda. They both found old stuff in Zip files that were in a
Deleted Items folder from an email account I haven't used since 2002. On an
F: drive. Before jumping on that, I'll say that I don't open anything I get
in an attachment unless I already know what it is (i.e., I'm expecting it).

Yes, that is the HijackThis thread. As indicated earlier, I don't operate my
system with Hidden Files, so it was run in Show mode. It was not run in Safe
Mode. I can do that.

I really don't remember which toolbar I had pop up in my Browser. All I
remember is that I first deleted its entry from the Run key in the Registry,
and then ran every correction tool I had. It went away.

I appreciate what you wrote about AV updating (I use McAfee). I run a fairly
controlled computing environment at home. Only myself and my wife. My wife
uses it only for email and browsing. I use it for that and work and digital
imaging. Neither of us spends a whole lot of time looking for weird new
stuff on the Web. Neither one of us even bother to look at mail if we don't
know who it came from (even the ones from Microsoft Security from a few
months ago :>). I also don't install random stuff for no reason. My system
runs 24/7 on a cable modem behind a switch with NAT and SPI, and with XP
Pro's firewall enabled. I also use another software firewall (Conseal PC
Firewall). With my AV updating weekly I have not had any attack on my system
since the toolbar incident (which is not a virus, per se). If you go
strictly by the definition of a virus I have no recollection of the last
time my system was affected. And yes I have run any number of on-line
firewall testers. My system comes up as Stealthy or Invisible.

I have listed my problem in the past in another thread. The reason why I
jumped in on Steve's is that it seemed like there was some action in his
thread that might help. Try this one

http://groups.google.com/[email protected]&rnum=16

watch out for the overlap.

I will try your 2-4 steps listed below again (1 is already taken care of),
and see what comes up.

Please:

- confirm that you've sought updates for Ad-aware and Spybot before
using them each time;

- confirm you are running Spybot v1.3;

- confirm that you've reconfigured Ad-aware per
http://aumha.org/forum/viewtopic.php?t=5877;

- confirm that you've run both Ad-aware and Spybot in Safe Mode after
first having enabled "Show Hidden Files";

- confirm that you've updated virus definitions (manually, if
necessary), enabled "Show Hidden Files" and ran a full system scan with your
AV app;

- confirm that you've run at least two (2) of the free online scans
found listed at http://aumha.org/secure.php#freeav (NB: one of them *must*
be Panda's!)

- post the URL for the forum thread where you posted your HijackThis log
(and if they didn't have you enable "Show Hidden Files" and run HT in Safe
Mode, do so and post back to the thread. (You may reference this IE6
Browser thread and my post.)

[Is this it?... http://forums.spywareinfo.com/index.php?showtopic=8784 ]

Do you or did you have any ["free" toolbars] installed?

[At] one time yes.

What was it?

Spybot found ...5 DSO Exploits

Assuming your homepage and default Search choices are what you want them to
be and are working properly, you may consider these DSO exploits a known and
much-discussed bug. You may configure Spybot to ignore them in further
scans.

...I have my full [AV scan] set to once per week

That scenario is simply insufficient anymore, Tony. Configure your AV to
seek definitions at least once a day (Some IT pros have chosen hourly!), at
a time when the machine is booted up and connected to the 'net. Then
configure it to run a full system scan about five minutes or so after
seeking and installing updates, also daily.

In all the time I've been looking here (and other IE
newsgroups) I've only seen my exact problem posted three times

Tony, I've read, re-read, reviewed and re-reviewed [Quiet, Jan! <wink>] all
of your posts in the original thread (http://snipurl.com/81fo) and here.
You have never stated "your exact problem" in either thread. You only made
a "Me, too" reply to OP Steve's post. Please do not consider this an attack
on you. The fact that you didn't clearly state *your* problem (and what
you'd done so far to solve it) is what caused me to "lurk in the background"
for the past month. I suspect others who may have been able to help also
chose to ignore this thread (and the original) for the very same reason
(though Jan's done an admirable job so far and kudos to her for jumping into
the fray).

I would appreciate getting some insight as to why you are so sure it's
malware of some kind...

The inablity to type in IE text boxes (and in OE) was one of the very first
"hijackings" we saw, dating back to December 2002 IIRC. It was caused
(then) by a still-nasty, still around POS called Xupiter. There are so many
new types of hijackware, new variants of known ones, and exploits used to
install them, that we simply cannot keep up with them all (which is prolly
the intent of the a**holes who're writing and foisting this stuff on mostly
unsuspecting users).

I respectfully suggest you (1) enable "Show Hidden Files" (and leave it that
way), (2) update virus definitions and run a full system scan in Safe Mode,
(3) update & run Ad-aware and Spybot (in that order and per all of the
above) once again, then (4) update and run HijackThis again (in Safe Mode),
saving your log.

Then go to http://forums.aumha.org and Register. Sign in and post your new
log to a new thread in http://forum.aumha.org/viewforum.php?f=30. Some of
the best hijackware mavens are working there, including MVPs Mike Burgess
(WinHelp2002 in http://forums.spywareinfo.com/index.php?showtopic=8784),
Siljaline, and the inimitable TonyKlein. Again, you may reference this
thread in your post.

Please do *not* insert your replies inline, it's simply too confusing.

Please do not change the subject of a thread; doing so disassociates your
post and replies to it from the original thread.

Please include all of the previous message in your replies.
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

As there are many points here, I will respond with inserted comments...

Hi, Tony. I've been following this thread since it began earlier this
month. Reinstalling IE won't make a bit of difference if malware is
still present on your machine (and your problem is 99.9% certain to be
malware-related, a recent CoolWebSearch variant, most likely).

IE Tools>Internet Options>General>Accessibility> Is anything enabled
here? Did you enable it?

No and no.

IE Tools>Internet Options>Advanced>Browsing>Enable third party browser
extentions (unchecked?)

Unchecked.

Do you or did you have any P2P file sharing apps installed? How about
"free" toolbars?

No and at one time yes. Many months ago I had some add-on toolbar show up,
but I got rid of it with the combination of tools listed here (I also
checked the Registry to make sure it was removed from the usual keys like
Run and Run Once). Had not shown up since.

You piggy-backed onto a thread begun by another poster to which a
talented MVP (Doug Varnau), familiar with hijackware, had responded.
Did you see his post? You appear to have take only a few of his
thorough and explicit suggestions.

While I only generically indicated what I did here, I did in fact follow
all of his suggestions.

...I have been
through the entire mantra that the experts here suggest: AdAware,
Spybot, CWShredder, Virus Scan, Hijack This, etc. Not one thing was
found. I even did the mshtmler.dll replacement. I was left twisting
in the wind. Apparently there's not a lot to suggest beyond the usual
things that seem to appear in this ng.

Did you seek updates for CWShredder, Ad-aware and Spybot v1.3 before
using them each & every time (even "right of the box" new), and run them
in that exact order? Have you updated and run them since 03 July-04?
Have you enabled 'Show Hidden Files' before running them? Have you
scanned with these tools in Safe Mode? Has Ad-aware been reconfigured
for a full custom scan per http://aumha.org/forum/viewtopic.php?t=5877?

Yes.

CWShredder just run. Came up completely clean.

Adaware just run. 14 tracking cookies (all of which I recognize) and 5
redirected hosts file entries, which other sites indicate is sometimes
incorrectly identified by Adaware. BTW, I am using the hosts file from
http://www.mvps.org/winhelp2002/

Spybot found the same tracking cookies as Adaware, and also 5 DSO
Exploits, of the form

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

As you can see from this example I fixed them.

Have you posted your HijackThis log to an appropriate forum for
interpretation by the pros? HijackThis doesn't fix anything on its own
and there's a fairly steep learning curve associated with knowing what
the good and bad guys are. (If you have posted your log somewhere,
please provide a link to the thread/forum.)

Yes. Nothing found.

Are your anti-virus application's definitions updated daily, followed by
a full system scan (also daily)? AFAIK, you haven't yet run a full
system scan in Safe Mode (see
http://aumha.org/forum/viewtopic.php?t=5878).

Yes. Although I have my full scal set to once per week (hasn't found
anything in a long, long time).

Furthermore, you're missing several critical security updates at Windows
Update (though I wouldn't install updates until you get this malware
problem sorted).

Yes, I know. I wanted to resolve this problem before doing this.

I would appreciate getting some insight as to why you are so sure it's
malware of some kind. The posts on this NG which tend to be traced

back

to

twice

by