Thanks for the help. Some of what you listed was helpful; some was
dangerous.. thank god for restore points.
I searched high and low for HijackThis.. here is why:
most links out there seem to reference this address:
Another excellent programme that allows you to examine your system and
*create a results log for experts to examine* is HijackThis, available
from:
http://www.tomcoyote.org/hjt/
SHOULD BE
http://tomcoyote.org/hjt (NO WWW)
After running this, I took a deep breath and opted to FIX/DELETE the R3
entry that stated No Default SearchURL entry existed.
Not much info on this entry in HJT but I created a restore point and
rolled the dice.
(I did this after spending the entire day using AdAware and Spybot S&D
with limited results.)
To anyone else with this hijack problem, which is not easily fixed with
the a AdAware 6.0 and SpyBot S&D: I would suggest you boot in safe mode,
run AdAware with all of the advanced options/whistles...
Search for and any .js files that arrived around the time/date of your
hijack.. delete them (at your own risk of course)
Search for and delete any .tmp files with the same disclaimer above.
Then, run Hijack This and look for the missing default Search URL.. fixing
this was the last step.
Now I can search from the address bar!! (and there is whole lot less
garbage in the system.)
Hope this helps someone else.. I saw a few posts with this same problem
with similar answers (somewhat helpful) that did not quite do the trick.
Thank you Sandi
----- Sandi - Microsoft MVP wrote: -----
There are many people who have helped this FAQ improve over time -
MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a
wonderful
resource.
IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX
from
the URL below - some malware can kill your internet connection when it
is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm
IMPORTANT: After obtaining the software below, make sure you check for
updates and then run the programmes in safe mode.
You can go to the link below to check your system for parasites
(supplied by
Doxdesk.com):
http://inetexplorer.mvps.org/parasite.htm
Malware removal (beginners guide):
First, go to Control Panel, add/remove programs. Check for malware
entries
and use the uninstall programs.
Second, get AdAware. [..Warning: AdAware is now version 6.181. All
previous
versions are NO LONGER SUPPORTED and will not be updated...]
AdAware is available at
www.lavasoft.de. Make sure you check for
updates
every time you use it.
To be most effective, you must run AdAware while Windows is in safe
mode,
and you must shut down as many suspect processes as possible.
This can be tricky, but nothing is impossible. Modern malware uses
more than
one process, and these processes are 'co-dependent'. In other words,
when
one processes detects that the other has been shut down, it
automatically
restarts its sibling, often using a different name. Using Task
Manager
(ctrl, alt, del) doesn't work because you can only shut down one
process at
a time.
Disable suspect processes using MSCONFIG before booting into safe
mode. Use
the information at the URL below as a guide:
http://www2.whidbey.com/djdenham/Uncheck.htm
After you are in safe mode, check to make sure the suspect processes
did not
start up. Then start AdAware. Make sure 'activate in depth scan' is
enabled. Select 'use custom scanning options' and then click on the
'customize' button. Turn on the following scan options - scan within
archives, active processes, registry (including deep scan), IE
favorites and
hosts file. You must also turn on the following option via the 'tweak'
button:
Cleaning engine: 'automatically try to unregister objects prior to
deletion'
IMPORTANT: Before letting AdAware delete malware, write down on a
piece of
paper exactly where the malware is stored. You will need to delete
those
directories after AdAware has done its work, but ONLY IF IT IS NOT A
STANDARD WINDOWS DIRECTORY.
After running AdAware, run it again, this time using the option
'select
drives/folders to scan'. Click on 'select'. Scan your entire hard
drive.
Also do the following:
Empty your IE cache and your other temporary file folders, eg:
c:\windows\temp (if using Windows 98) or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp folder will
change depending on your name) - sometimes programmes can be hidden in
there - watch out for mysterious *.exe files or *.dll files in those
folders.
Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Programme Files. Check for unusual
objects
there.
Go to IE Tools, Internet Options, Accessibility. Make sure there is
no
style sheet chosen (under User Style Sheet - format documents using my
style
sheet). If the option is turned on, turn it OFF.
It is possible to turn off third party extensions (Enable third-party
browser extensions (requires restart) at IE tools, internet options,
advanced) to disable *all* plug-ins but troubleshooting will be
difficult
and it is only a BANDAID. Nothing gets fixed. There is software that
depends on 'third party browser extensions" to work, including
Acrobat,
Microsoft Money, and many other programmes.
Once your computer is clean, and if it applies to your operating
system,
create a new restore point. Your old ones may, of course, be infected
with
the malware and therefore cannot be used. Run disk cleanup to remove
old
restore points (if you operating system has this option you will find
it on
the 'more options' tab of the disk cleanup utility).
If you are still having problems:
You can go to the link below to check your system for parasites and
hopefully identify your problem (supplied by Doxdesk.com):
http://inetexplorer.mvps.org/parasite.htm
Download and run the latest version of "Cool Web Shredder"
http://www.merijn.org/files/CWShredder.exe
The more experienced user can try Spybot. Again, it is a free
programme
which can be downloaded from:
http://spybot.eon.net.au/. Warning: it
is NOT
a good programme for the inexperienced. If you want to use this
programme,
please get the advice of those more experienced before 'fixing'
anything
that it finds.
Another excellent programme that allows you to examine your system and
*create a results log for experts to examine* is HijackThis, available
from:
http://www.tomcoyote.org/hjt/
An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer
MS have released a limited KB article regarding what they call
'deceptive
software'.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315
Here is advice specific to:
home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page
pop-up ads
http://inetexplorer.mvps.org/data/popup.htm
search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine
IMPORTANT: Automated removal programmes are excellent, and a lot of
credit
goes to those who authored and update the programmes, but they can NOT
detect everything that is out there - as time goes on the programmes
will
become more and more unwieldy if they try to maintain a standard of
positive
identification for as much spyware as possible, and it will be harder
and
harder for the programmes to catch everything that is out there. More
and
more spyware uses RANDOM names as part of their programme making it
impossible for positive identification to occur, therefore....
It is VERY IMPORTANT that you learn how to examine your system for
potential
problems as well as using 'fixit' programme such as AdAware or Spybot.
Check your startup folder and MSCONFIG (startup tab).
The folders could be:
....\Start Menu\Programs\Startup User\Startup All
Users\Startup
The following registry keys are implicated in malware infection, and
can be
edited as appropriate (!! if you have experience !!).
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services Services
marked to startup automatically are executed before user login.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\run
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
The following link will lead you to some Microsoft KB articles about
the
basics of the Registry and working with it:
http://inetexplorer.mvps.org/answers.htm#Registry
--
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/
I have been ripping out spyware/malware/gunk from my
wife's computer. I un-hijacked her search settings etc.
type: "? real estate" or simply "real estate" the search
feature will not work. (
http:///? real estate is then
displayed in the address bar and "The page cannot be
displayed.")
and tried every combination of use of Srchasst.
