Spies, worms & other problems

[J.A. Mason]

My troubles began last Sunday. My daughter had been browsing the Web,
and when I got on my laptop computer after her, there was an unending
stream of popups and messages re: spyware and other popups trying to
get me to d/l their software to deal with the spyware 'found' on my
system. I went into my XP Pro Control Panel to remove these programs
that had installed themselves on my computer. My computer was very
slow...it took forever for any of the processes to complete. I then
ran Adware to remove any tracking programs left. It found over a
hundred, but supposedly removed them. Then I ran Norton's, but it
didn't find any viruses. At that point, I thought everything was
fixed & shut down & went to bed.

The real nightmare began Mon a.m., when I booted up my laptop. It was
'caught' in this terrible loop; it would almost be completed booted,
then just before my desktop completed loading, a black (DOS-like)
screen would suddenly appear in the middle of my desktop & the entire
system would reboot. After watching this cycle for about 3-4 times, I
finally realized it was somehow connected to my wireless network card,
so I took out the card, leaving me without an internet connection.

Since then, my system has run very poorly. My Start menu can't be
accessed. When I move the mouse pointer anywhere in the task bar of
the desktop, it turns to an hourglass as if it's waiting for some
process to complete. Sometimes my harddrive light runs on for many,
many minutes...in Task Manager it shows 2 or 3 copies of svchost.exe
running and utilizing like 85% of the CPU resources. This is when no
programs are open or running. I can't really run any programs
anymore, all I can do is get into my files via a desktop icon (NEVER
via the Start Menu) and look through various files. I guess if worse
came to worse, I could cut & copy my most essential documents to about
1,000 floppies and wipe the drive.

I've tried repairing WinXP about 4 times. Each time I get an error
message towards the end of the install -unregmp2.exe entry point not
found-"The procedure entry point GETIUMS could not be located in the
dynamic link library MSDART.DLL." This doesn't stop the install, just
comes up in a window.

The install completes, and yet nothing is fixed. In fact, when the
install completes at first, my view screen is reduced to very small.
But without doing anything to my settings, once I re-boot, I have a
full screen view again, but without any other problems fixed.

I suspect there must be a worm or SOMETHING that has messed up my
system like this. Yet, I don't know how or where to begin looking for
them. Is my only hope a complete disk wipe & re-install?

I realize this is quite long, and if there is a better list for this
to be posted on, please move this there.

Thanks for any help you can offer. I'm at my wits end!

Jane

 

[Guest]

I don't know which to address first..but here goes.
as far as the booting to a black screen read this.
I'm still looking for anything on the other issues.. Hope someone reads this that can help.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314503&Product=winxp

 

[Guest]

I had almost the same problem as you did. But a good friend of mine helped me get rid of some of it a few days ago. The only thing I can do is to send you this thing you have to download, but you say you don't even have any internet connections now, right?

 

[J.A. Mason]

I can access the Internet from another computer, but I'm having
trouble getting my laptop to read files I write to a CD right now
(among other things.) Once, this morning...I booted up my system &
EVERYTHING BEHAVED NORMALLY for the first time in SEVEN DAYS! I could
access the Start menu & decided to try reloading my wireless card to
get Internet access. when I rebooted....i was back at square one.
Does anyone know exactly where the CORRECT svchost.exe file should be?
I have 2 copies on my system...one in the System32 file, the other in
System32/dllcache file. It's the svchost.exe that is using up all my
resources, and I wonder if one of these should be deleted.

Thanks for all your help....

Jane

 

[WinGuy]

I can access the Internet from another computer, but I'm having
trouble getting my laptop to read files I write to a CD right now
(among other things.) Once, this morning...I booted up my system &
EVERYTHING BEHAVED NORMALLY for the first time in SEVEN DAYS! I could
access the Start menu & decided to try reloading my wireless card to
get Internet access. when I rebooted....i was back at square one.
Does anyone know exactly where the CORRECT svchost.exe file should be?
I have 2 copies on my system...one in the System32 file, the other in
System32/dllcache file. It's the svchost.exe that is using up all my
resources, and I wonder if one of these should be deleted.

Thanks for all your help....

Jane

Jane, one of the methods I use for disabling all running tasks except for
what is absolutely needed to run Windows is to go into diagnostic mode. A
lot of normal things do not work in diagnostic mode because they are
disabled, but it lets you go in a step by step method until you find
something that is causing a problem. Diagnostic mode allows you to come up
in a semi-normal boot.

Here's the general idea. While rebooting, keep tapping your F8 key until you
get a menu that you select to boot into Safe Mode. Note that some virus etc.
are capable of running in safe mode because they have installed one or more
"services" that can start in safe mode (but not in diagnostic mode) so you
might have to struggle a bit to eventually end up in diagnostic mode.

Anyway, in Safe Mode, click on Start and then on Run and type in "msconfig"
(without the quote marks) and click OK. You will see an option for
Diagnostic Mode. Select Diagnostic Mode and then click the OK button. Allow
the reboot, and let it boot normally. When you get the message indicating
that you are not booting normally then select the "don't remind me" option
and then on OK (do not click the Cancel button). This should get you to your
normal desktop but a lot of things will not work because many "services" and
other startup things are not running. But you should be able to use msconfig
and windows explorer (you can run windows explorer by clicking Start then
Run then enter in "explorer" without the quote marks). Explorer will let you
search for files that you later find to be a problem.

Run msconfig again. Try enabling one thing at a time and then reboot, see if
all appears to be ok before enabling something else. First, re-enable all
these things at once: On the General tab, select the Selective Startup
option and then select (1) Process SYSTEM.INI file, and (2) Process WIN.INI
file. Reboot and see if things still seem ok even though a lot of
functionality is still not available yet for you to use. If not, look in
msconfig on the tabs for those 2 files and deselect all their options and
then re-enable them one at a time, with a reboot between each re-enabling,
until the problem reoccurs. You can further isolate any problem by expanding
(via clicking the + mark) an entry and enabling or disabling other options
concerned with the SYSTEM.INI and WIN.INI tabs in msconfig. If you find
something wrong with SYSTEM.INI or WIN.INI then post back to this forum for
more specific help and please detail what you can not re-enable without it
causing a problem.

If nothing in WIN.INI or SYSTEM.INI needs to be disabled then go to the
Services tab in msconfig and start enabling one "service" at a time,
rebooting each time. Ignore any error messages (some services will not run
even if enabled unless another service it "depends" on is also enabled),
you're just looking for your original problem to appear again. If you find
the problem comes up when you enable something in Services, keep that
service disabled and ask here in this forum for help on how to get that
service working correct again (it might not be a valid service, it could be
a service for a virus or trojan or something else). Continue enabling until
all services are re-enabled except those that cause a problem. Post back to
this forum and say what service must be disabled to see if it is a necessary
service or one that was installed by a system compromiser.

If the problem does not appear after enabling all services, and you have all
the services started, then the only thing left is that something in the
Startup tab of msconfig is causing you the problem. Again, use the same
enable/disable methodology until the problem re-occurs -- at which point you
know what needs to not be enabled.

Now right-click on My Network Places icon on your desktop, select
properties. I'm doing this from memory, the ide is that you want to turn on
the built-in XP firewall for each of those icons you see in in My Network
Places. Look for something like "protect my computer" and an advanced tab,
what you want is definitely available somewhere after you right-click a My
Network Places icon and select properties (it is there, sorry but at this
writing the only XP I have available is checking to make sure a 120Gig HDD
has no bad sectors so I can't look and tell you better directions).

When you have everything enabled that you can without the problem occurring,
try to go online and update your antivirus and run it again (virus could
have been disabling it before now). Get the freeware version of ZoneAlarm
from grisoft.com. Google a bit and find Ad-aware6, Spybot Search & Destroy,
SpywareBlaster, and SpywareGuard. Those are my favorite "bad things" killer
utils. Install them, be sure to update them, take the time to learn how to
configure and use them (this part will pay off in the future, too), and then
run them. With Spybot, don't use its Advanced mode of operation just yet,
only run it with its default mode instead. However, you might have to go
into advanced mode long enough to go to its Tools and Settings and turn OFF
the default option to set a System Restore point (Spybot will hang if it can
not set a restore point in XP, something that needs to be fixed by its
author).

Whatever those utilities find let them get rid of. With some virus and
trojans you have to run Ad-aware6 and Spybot several times, with reboots
inbetween. Always reboot and run them again just to be sure if they find
anything, some virus and especially 3rd party IE toolbars will fight those
utils. Really, whatever you loose because of running Ad-aware6 and Spybot is
something you don't want. SpywareBlaster and SpywareGuard help to protect
your registry from modifications made by system compromisers. SpywareGuard
will require your approval if something wants to modify your registry
(obviously, if you're installing something that you know is ok then you'd
give permission to SpywareGuard).

After all that, right-click on My Computer, then on Properties, and look for
the System Restore tab. Use the option to turn off System Restore, wait a
minute, then turn it back on. That will clear any old system restore points,
set a new one, and assure that any virus that was in it (and that your
antivirus utility could not eliminate) will now be gone. You should see a
fair amount of HDD activity when you turn it back on unless you still ahve
disabled its needed service using msconfig.

At this point you should be operational and free of system compromisers.
Only the thiings in the startup tab of msconfig that are still disabled are
keeping the system from being fully in a normal operation mode. Although you
could (probably) safely re-enable those things now, you'd likely get some
error msgs saying that a file could not be found (since your tools removed
them!) so just leave msconfig in Selective Startup mode or take it to
someone who knows how to delete those unwanted selections (it has to be done
in registry, something I wish someone would carefully write a utility to
do).

I hope all this helps you (and others) recover from the unfortunate
situation. Be sure to go get all the MS updates (in IE, click Tools and then
go to the update site). If system files were damaged then (1) updates might
fix that but if not then you'll need to boot your XP CD and "upgrade" your
current installation (a new install would cause you to loose everything, so
you need to instead do an update or repair -- see other topics in this forum
about how to properly do that).