Barbara said:
Lanwench -
The black screen has a smaller area in dashed lines and that is like a
webpage where you get the "hand". If you click on it, it brings you
to: "
http://213.159.117.149/partner/jump.php/?2" address in bar.
The black screen actually says:
"WARNING!
YOU'RE IN DANGER!
All you do with computer is stored forever in your hard disk. When you
visit
sites, send e-mails... all your actions are logged. And it is
impossible to remove them with standard tools. Your data is still
available for forensics. And in some cases for your boss, your
friends, your wife, your children.
Every site you or somebody or even something, like spyware, opened in
your browser, with all images, and all downloaded and maybe later
removed movies or mp3 songs - ARE STILL THERE and could broke your
life!
SECURE YOURSELF RIGHT NOW!"
Then underneath that is a line in gray box "REMOVAL INSTRUCTIONS" but
doesn't seem to do anything.
When I clicked on message area, went to a website (IP address above)
that
wants you to buy their protection services (various). Any idea how to
get
rid of this black screen?? I've returned the computer to the owners,
but
after XMAS I'll probably stop by. I might be able to talk them thru a
fix if it's easy enough. I sat down with daughter and showed how to do
all system
maintenance. The Spybot and AdAware are up-to-date as is the AVG7.0.
Please help, thanks.
I hope Lanwench won't mind that I jump in here. The black screen proves
that the computer is not clean of malware. Since most of this thread
was taken up by your problem getting to the Internet (solved with
LSPFix), you never described what you did to remove the malware.
Although you've used Spybot and Ad-aware, you should go through the
following removal steps again, using updated tools and doing all scans
in Safe Mode. When I clean a system, I also manually delete bad files,
but this takes a deep knowledge of the Windows operating system and
skill. This isn't something you can have an end user do.
1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions.
2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.
Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).
HijackThis is an excellent tool to discover and disable hijackers, but
it requires expert skill. See below for HijackThis links. A combination
of HijackThis and About:Buster works well in removing the About:Blank
homepage hijacker. Again, this is an expert tool and novices should get
help with it.
3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).
4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.
5) Run a firewall.
Links to help with malware:
Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.majorgeeks.com - good download site
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/
General:
http://forum.aumha.org/ - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Depending on what you're charging and what the client wants to pay, it
might be a lot more sensible to just flatten the system and start over.
Malke