HELP ! - anybody - virus problem

[Inigo Montoya]

I would suggest the following:

1. Buy a spare hard drive -- two if you can afford it, plus some drive imaging software (I like Drive Image, but Norton Ghost will probably work too).
2. Image your existing drive.

3. Restore this image to the spare drive (easier if you bought 2 drives in step 1)

4. Attempt to simply re-install windows over itself first instead of a full rebuild.
Assuming that doesn't work,
5. Install a clean new copy of Windows onto the new drive.
6. Make an image backup of that.
7. Download/install all the latest patches, service paks, etc.
8. Make another image backup.

9. Either mount your old drive as a slave, or copy everything off it into something like an "OLD-SYSTEM" folder on the new drive.

All your important files, images, actions, etc. will now be at your fingertips for use in building the new system up to where the old one was. It's the install of IE and its configuration that are hosed, not your data. For example, once you install Photoshop on the new drive, you can copy over all the actions from where they lived on the old system and have access to them almost immediately.

Periodically through the re-install/recovery process, make new/updated image backups to "save your place".

Hope it doesn't come down to this, but if so, I hope it helps.

 

[EJN]

Interesting read at http://www.computercops.biz/postt44155.html
about correct usage of Hijack This in removing Cool Web Search. It
seems to be a registry based trojan. My own (quick) interpretation
of the Hijack This logs before/after fixing seem to indicate that
any mentions of "ht tp: greatsearch.biz" in the registry are bad
news. I've added some spaces in this web address so no one goes
there by accident!

Steve -

I've had so manh excellent pointers on this that rmy head is reeling !!! but anything to try, so I've just done a Reg search on that 'great* ' and this finds nothing !

This is the trouble you know - it varies so much that what seems to have worked OK in many cases, with others, isn't with me. I've put a stop on it with my 'Permissions' DENY entry in the Reg .. that does seem to work,

in fact I almost think it's normal...but I know it's still there and I've not yet found it to shift entirely.
--
EJN

 

[EJN]

...to read, go through the steps of "I think my computer is
infected or hijacked. What should I do?" and post your
results/symptoms in the the security forum I provided in my
previous posts?

There are a lot of security professionals/gurus that will take the
time to help people who's PC has been infected and/or hijacked.

If they cannot sovle your problems I doubt anyone esle can.

BTW, I understand not wanting to start from scratch on rebuilding
your system. Also faced the same task 10 years ago when my hard
drive died.
Since then I ALWAYS keep a current image of hard drive. No longer
worry about having to FDISK/Format or replace hard drive.

Jon -

Since my 'Permissions' DENY thing in the Reg does seem to have scuppered it from DOING anything (although it THINKS it has), I'm now down to trying to locate something, so only 10 minutes ao I sent a long email to 'merijn' at Computer Cops (he did say dio that if needed) with a HiJack current list. To me, there's NOTHING on that now to show - all seems normal , but HE's the expert so I hope he can make some comment.

By the wayt, I've had to explain this as it's\ unusual to many - I'ma TOTAL laptop user , so you have a great deakl less toplay with as you'kll appreciate. No changes of hard drive that easily etc etc and whilst I'm giving thought to the Frive Image thing, again Idon't know if this is as good or easy with a laptop...you just can't slot in aother mirror drive in a big empty case you know !!! Mut be a way I suppose...but get this sorted first...

--
EJN

 

[EJN]

There is a program out there called startuplist.exe which prints to
notepad all of your startup entries. You might want to find that,
print it and send to one of the tech forums mentioned.

--
Stinson
C-750, D-40, B-300, Nikon 4T macro, PS CS
http://www.StinsonsTerra.StinsonsC750Gallery.PhotoShare.co.nz
http://www.photosig.com/go/users/view?id=64739

Stinson -

I've got THREE progs that give me sucha list andregularly check them as I find some are not needed regulsarly - start 'em as Iwant instead...so there's NOTHING changed oradded there...that I know.

As an aside...have you come across or used a prog called "Your Unininstaller" - wonderful ...it tracks all installs and when you want to uninsatall anything, you do it with that and it not only does it properly but unlike CP Add/Remove, it goes on to shift/clear ALL associated Reg entries and the dir...unlike Add/Remove which leaves half the damn things on...dead

--
EJN

 

[hello goodbyte]

I foolishly logged onto what I knew was maybe a dodgy site and in less than 1/2 hour I'd got 7 viruses.

Let me guess. that site you "foolishly logged onto" was with IE?? And ActiveX was enabled?

Of course, nothing's perfect, but I'd say that had you been using Mozilla or Opera, which have none of that virus/trojan enabling ActiveX, then the possibility of becoming hijacked would've been greatly reduced. And with Java off, that's even more protection.

That doesn't help you now, of course, but you might like to consider it for the future, good luck...

 

[EJN]

I would suggest the following:

1. Buy a spare hard drive -- two if you can afford it, plus some
drive imaging software (I like Drive Image, but Norton Ghost will
probably work too).
2. Image your existing drive.
3. Restore this image to the spare drive (easier if you bought 2
drives in step 1)
4. Attempt to simply re-install windows over itself first instead
of a full rebuild.
Assuming that doesn't work,
5. Install a clean new copy of Windows onto the new drive.
6. Make an image backup of that.
7. Download/install all the latest patches, service paks, etc.
8. Make another image backup.
9. Either mount your old drive as a slave, or copy everything off
it into something like an "OLD-SYSTEM" folder on the new drive.

All your important files, images, actions, etc. will now be at your
fingertips for use in building the new system up to where the old
one was. It's the install of IE and its configuration that are
hosed, not your data. For example, once you install Photoshop on
the new drive, you can copy over all the actions from where they
lived on the old system and have access to them almost immediately.

Periodically through the re-install/recovery process, make
new/updated image backups to "save your place".

Hope it doesn't come down to this, but if so, I hope it helps.

Inigo -

I'm truly appreciative of all your guidance on this topic but I wonder if you've caught my periodic comment here that I'm a TOTAL laptop user and as such of course do not enjoy the same pleasures as desktop users in being able to slot in added drives and that sort of thing. In fact many (most) laptops I don't think allow an external drive as a bootable one ???? .. they're all of any type treated as a 'Removeable Drive' and have limitations because of that,. They CAN be linked of course and indeed I use two external drives of this nature , on which I've had the sense to keep for such as my pic files (main) and d/l progs (original) etc...so SOME use can be made of them this way, but I don't think they are , or can be, used quite as you would probably with a desktop for such as easy imaging etc. Not sure but it certainly I don't think is quite as practical or easy on laptops.

--
EJN

 

[EJN]

I foolishly logged onto what I knew was maybe a dodgy site and in less than 1/2 hour I'd got 7 viruses.

Let me guess. that site you "foolishly logged onto" was with IE??
And ActiveX was enabled?

Of course, nothing's perfect, but I'd say that had you been using
Mozilla or Opera, which have none of that virus/trojan enabling
ActiveX, then the possibility of becoming hijacked would've been
greatly reduced. And with Java off, that's even more protection.

That doesn't help you now, of course, but you might like to
consider it for the future, good luck...

Actually my default Browser is MyIE .. in fact an excellent one. Suppose opinions vary but MyIE works excellently - stops pop-ups and such other features, and the presentation is immensely better. Never used IE for AGES. People vary...I tried Mozilla but didn't personally get on with it...MyIE is still more suitable to me....but it didn't stop this...nor I doubt would have many others...are you sure Mozilla is THAT safe against such as this bug ?????

--
EJN

 

[hello goodbyte]

Actually my default Browser is MyIE .. in fact an excellent one.
Suppose opinions vary but MyIE works excellently - stops pop-ups
and such other features, and the presentation is immensely better.
Never used IE for AGES. People vary...I tried Mozilla but didn't
personally get on with it...MyIE is still more suitable to
me....but it didn't stop this...nor I doubt would have many
others>

Not exactly sure bout this but MyIE appears to be another version of IE - actually, more than likely, otherwise Microsoft woulld start a law suit, like what's happening with Lindows - like a skin for Opera etc, plus some add-ons, like pop-up stoppers. So that means that, as far as malicious code is concerned, it'd be the same as using IE itself. Which means you'd still have to take specific steps to disable ActiveX.

...are you sure Mozilla is THAT safe against such as this bug

?????

As I said, nothing's perfect, but it seems to be the accepted wisdom that many virus/spyware/trojans exploit the ActiveX security weaknesses. Whether it would block this particular one, well, I can't say.

Seems like the major problem you're having is in actually identifying which trojan/hijacker you're got.

I haven't had time to go thru the whole thread, but do you only start running into problems when you start your browser, or do strange things start happening when your computer starts?

If it's the former, then an immediate workaround would be to stop using that browser and get another one quick smart. That would at least give you some breathing space. Go to mozilla.org and download Firefox, a kind of Mozilla Lite, only 6mb or so and a quick download...

Hope this helps, good luck...

 

[Inigo Montoya]

Good points/issues about using a laptop.

You might want to check out this program -- I've used it a bit, and they were kind enough to provide me with a temporary(?) license key to allow me to be more flexible in my timing and depth of evaluation.

It looks like it can create a bootable CD complete with support for USB drives. That might be the answer for you.

Acronis True Image: http://www.acronis.com/

From what I've seen so far, it looks pretty good. I've only run a full backup and a few incrementals to date. I just got a new hard drive though, and will be conducting my first attempt to "boot from CD and restore the entire system" shortly. If that works cleanly, I'll be breaking out my wallet.

 

[EJN]

I haven't had time to go thru the whole thread, but do you only

start running into problems when you start your browser, or do
strange things start happening when your computer starts?

If it's the former, then an immediate workaround would be to stop
using that browser and get another one quick smart. That would at
least give you some breathing space. Go to mozilla.org and download
Firefox, a kind of Mozilla Lite, only 6mb or so and a quick
download...

Hope this helps, good luck...

Sorry for clipping a lot but I think it's only this part that matters in this reply.

Yes, nothing goes wrong until I log onto the Browser...but that's the idea of this Scumware...it uses its own HOME page for its own purpose - not applicable of course until you go onto the Interenet and a Browser. It loads some file or other onto your computer (Helluva job to locate as the Scum is SO variable itself) then immediately changes whatever you have yourself decided as 'Home' page..to ITS page - and literally as fast as you change it back to YOURS, it changes it again to its own...unbelievable the hassle. Some people seem lucky - there are a couple of progs in particular that in many cases do it in a twinkle...I've used both many times before and they work fine...but on this one it doesn't...with me...a variant I've got, I can only conclude. I've stopped it at present by a Reg change..will not go into details in case some folk read and try it , and mess up...but it IS working in that it stops it changing...but the bug I still cannot find.

Re Mozilla and your comments on DirectX .. well doesn't this brings us to HOW people use the computer..and what for,. As I understand it ...and many progs have told me this...a lot of stuff I use MUST have DirectX ...in fact , the latest version..or it don't work. So Mozilla without it seems useless for such as me, surely....

--
EJN

 

[EJN]

I've just switched off and re-booted for another purpose and Spy Sweeper told me immediately that it had tried to change my Home page again (didn't of course , with my 'blocker' ) but it DOESN'T then occur with the Browser, it's happening right from switch-on...clearly a Reg control I'd think

...

I haven't had time to go thru the whole thread, but do you only

start running into problems when you start your browser, or do
strange things start happening when your computer starts?

If it's the former, then an immediate workaround would be to stop
using that browser and get another one quick smart. That would at
least give you some breathing space. Go to mozilla.org and download
Firefox, a kind of Mozilla Lite, only 6mb or so and a quick
download...

Hope this helps, good luck...

Sorry for clipping a lot but I think it's only this part that
matters in this reply.
Yes, nothing goes wrong until I log onto the Browser...but that's
the idea of this Scumware...it uses its own HOME page for its own
purpose - not applicable of course until you go onto the Interenet
and a Browser. It loads some file or other onto your computer
(Helluva job to locate as the Scum is SO variable itself) then
immediately changes whatever you have yourself decided as 'Home'
page..to ITS page - and literally as fast as you change it back to
YOURS, it changes it again to its own...unbelievable the hassle.
Some people seem lucky - there are a couple of progs in particular
that in many cases do it in a twinkle...I've used both many times
before and they work fine...but on this one it doesn't...with
me...a variant I've got, I can only conclude. I've stopped it at
present by a Reg change..will not go into details in case some folk
read and try it , and mess up...but it IS working in that it stops
it changing...but the bug I still cannot find.
Re Mozilla and your comments on DirectX .. well doesn't this brings
us to HOW people use the computer..and what for,. As I understand
it ...and many progs have told me this...a lot of stuff I use MUST
have DirectX ...in fact , the latest version..or it don't work. So
Mozilla without it seems useless for such as me, surely....

--
EJN

--
EJN

 

[william_]

NOTE: Some of the suggestions that follow have the potential of rendering software unusable. Even in the best circumstances, virii can attach themself and infect executables and libraries that are necessary for the operation of windows. If you are not comfortable with dos commands or the registry, you might want to pay to have your machine fixed professionally. If your restore disks are not the same service pack as your current version of windows and you have to manually delete a virus, DO NOT proceed. You will likely end up having to resintall windows from scratch if you have to replace any uncleanable system files.

Sorry to hear about your predicament. Virulent spyware has become a great nuissance. Having a single program get through can leave you with all of their affiliate programs infecting your machine within hours.

The simplest solution which has most likely been stated several times is to format and start over. However, the simplest is also usually not the most feasable as everyone inevitably installs programs without saving the installation files or making extra copies of their utilities whether they be addons, actions, or whatever. Which leads to the time consuming solution.

Before you go nuts, turn your machine off and walk away from it for a day or two. Working on it if you are in a rush or angry will invariably cause a mistake which might bring you to having no option left but formatting. Plan yourself 2 evenings or an entire sunday to fix it. (The last machine I fixed for family took almost 6 hours. Granted, it was a p3 800 and scanning was slow, but to fully clean a machine can take ages.)

If you have another computer handy, do your research on it, or if the machine isn't entirely debilitated, use it. You will want to download a few programs to help you along. Adaware is an absolute must. The other program you are going to want in order to fully succeed is Zone Alarm. There is a great deal of debate as to the usefullness of it as a firewall but I can attest that it is absolutely invaluable when cleaning a machine of spyware.

Download those two, as well as any other utility you feel will be useful. Download any updates to your anti virus software and anti spyware utilities. Print off any information about registry keys or other pertinent information for manual removal of the spyware and then physically disconnect your machine from the internet. Be sure to google any utility you use to remove spyware to be certain that it doesn't contain spyware itself.

By now you might want to take a break and have a beverage. Breaking the work up takes longer but is much less stressful in the end. When you come back you will be ready to continue.

Once you get back, it is time to get your virtual hands dirty. In windows xp, you will need to go and and turn off the restore points, and manually delete the restore files. This can come back to bite you, but chances are there will be a virus or spyware hidden in there that cannot easily be extracted. Once you are finished and know that your machine is clean, you can re-enable and create a fresh restore point.

Should there be a virus on your machine that prevents proper scanning by anti-virus utilities, you will have to boot to safe-mode with command prompt only. Chances are pretty slim that this will be necessary, but once in a while it is. Manually maneuver to the files that need to be deleted and do so. If you get an error saying you do not have permission, you can take a restore disk, and go to the command prompt from the emergency repeair menu. Keep the restore disk handy as some files that need to be deleted mayl have to be replaced for windows to work. Any instructions you have on such virii should let you know if any files have to be replaced.

Next, run the anti-virus software, and then the spyware scanners. Reboot in between each pass is optional, but some people recommend it. Once that is complete and you are fairly sure your machine is clean, it is time to install zone alarm. Zone alarm can be a little intimidating at first, but it is designed to be as user friendly as possible. It will ask you everytime something new wants to use the internet. You can seelctively disable any software you want from accessing the internet.

With zone alarm installed, you can safely plug your machine back into the internet connection, but you are not finished yet. Start up each program you use normally on the internet each in turn, and allow them access once. Anything that asks for access that you do not recognize should be researched through google or the built in service in zone alarm to determine if it is safe. If you still are not sure, allow it access once, and see what it does. By doing this, you can find out if there is spyware that the programs missed, and you can then manually delete those as well. Once you have determined that all the software on your machine is safe, you can set them permanent access in zone alarm.

 

[william_]

It is time to take another break. Your machine should now be clean, but give another run with the scanners, just in case. Go in, re-enable your restore settings and create a fresh restore point.

The final step is prevention. I believe you said you were running xp. The following is not necessary, but I recommend to anyone that they should do them to help prevent further infections.

1. Keep internet explorer installed, but do not use it for your daily surfing. Install an alternate browser such as mozilla, netscape (same engine), or Opera to use when browsing new or unfamaliar / untrusted sites. Only use internet explorer when surfing sites that need it and are trusted. Even with the security settings raised to the highest, there are exploits in IE that make it dangerous to use.

2. Turn off all preview panes in outlook / outlook express. Turn off reading mail as html. Disable vb/vba script. Never run executable attachments. Even if it is from someone you know, it isn't worth the hassle of cleaning your machine just to get a quick and cheap laugh from a joke. If you are receiving a program from someone you know, verify through email before hand, and ensure that they zip/ rar it first.

3. Windows XP has different permission levels for different groups available. If you have had the machine runnning for quite some time, you likely don't install much anymore. Create a new user with no installation permissions, and use it instead of a power user or administrator type account. You may find it takes some time to tweak it to run everything you normally do, but it is an invaluable method of keeping your kids out of areas you don't want them and it helps to prevent accidental installation of software over the web.

PS. If you are an experienced user and familiar with the registry, make a backup of your registry and then run a registry cleaner. Make a backup of the stripped keys and check them by hand. Chances are there will be some delinquent keys left over after everything has been cleaned.

Have another beverage when you are done and pat yourself on the back for having saved 300$ to have it done at a shop.

PPS. Now that you have a clean machine, and a nice fresh restore point, it is a good time to do a defrag to help speed things up.

 

[Jon_T]

By the wayt, I've had to explain this as it's\ unusual to many -
I'ma TOTAL laptop user , so you have a great deakl less toplay with
as you'kll appreciate. No changes of hard drive that easily etc etc
and whilst I'm giving thought to the Frive Image thing, again
Idon't know if this is as good or easy with a laptop...you just
can't slot in aother mirror drive in a big empty case you know !!!
Mut be a way I suppose...but get this sorted first...

If your laptop has a CD-R burner you can make an image or backup (depening upon software/method you prefer) to CD-Rs.

Or if your laptop does not have a CD-R burner and has 2.0 USB ports, you can get an external CD-R burner or one of the USB 2.0/Firewire external hard drives.

Maxtor 200GB A01A200 7200RPM One Touch Firewire 1394/USB 2.0 External HD around US$240.

 

[EJN]

If your laptop has a CD-R burner you can make an image or backup

(depening upon software/method you prefer) to CD-Rs.

Or if your laptop does not have a CD-R burner and has 2.0 USB
ports, you can get an external CD-R burner or one of the USB
2.0/Firewire external hard drives.

Maxtor 200GB A01A200 7200RPM One Touch Firewire 1394/USB 2.0
External HD around US$240.

No - to be truthful, I've got all the time in the world and do seem to have this 'thing' blocked so I'm still continuing to find...or try to find .. the initial kick-off for it. Have just in latest hours found in the 'original' merjin site some notes of a HUGE list of sites and things that are logged into the Register ...and I've actually traced a lot of these in MY Reg...and those are now gone. But it hasn't stopped it..so shall still persist in going through and clearing as many as I can from the 'merijn' list - they HAVEN'T come back so that's one lot out of the way...it's the darned starter that must be somewhere. Most seem to just shift it with CWShredder but it doesn' get it on mine, alas.

I do have both CD and DVD burners on this laptop but again I'm really fighting shy of that path as I really don't feel confident enough and although it may be all too optimistic the fact is I've blocked it and with SO FAR no ill effect ... so .I'm still taking the easy way out.

Rather than any drastic physical steps I've read of somedone who simply d/l and installed a new update IE and that cleared everything. Could well be an easy way ???? Have some doubts ...but could be..

E.

 

[Hooligans Imagery]

Well, guys, if nobody can come up with a solution I really think
this might be the last you hear from me - really ...
About 22 hours ago I foolishly logged onto what I knew was maybe a
dodgy site and in less than 1/2 hour I'd got 7 viruses.
Fortunately, most were of a nature that I sorted them out but right
now I'm plagued incessantly witrh this blasted 'Cool Web Search'
thing ...and CANNOT find a way to rid it - just changes my Home
Page EVERY time , even though I've done all in my power to stop it.
Had for years on my machines - AVG (excellent overall) - Triojan
Remover and Pest Patrol. Funnily , just a few hours before this
episode I d/loaded and setup Ad-Aware6. It found one or two things
but has done NOTHING to sort out the Cool Web Search thing. Got
'HiJackThis' which is a superb thing...it shows immediately the
entries giving this Cool Web page but although I clear them they
just auto return instantly. Got a super prog called CWShredder -
that found at first the 'AboutBlank' entry that had been popped in
, but within the last hour or two I've clearly done something and
CWShredder now tells me I've got a clean machine...which I haven't
of course.
Did NOT have before, Spybot, so d/loaded that this morning. It
found a few things but again done NOTHING to shift Cool Web ...and
in spite of numerous searches in Google , plenty of ideas on
shifting it but none work,.
This is on a two-month old new P4 3Gig laptop, on XP, my latest
pride and joy and have been piling tons of progs on it that I want
to use - NO WAY am I going to re-install to scratch and have to
start over again. Don't really know how to start and I don't know
where I'd find half the progs, keys etc to do that without a month
or more searches.
Frankly I'm just about fed up..spent 22 hours now trying to sort it
, apart from 6 hours restless night, and getting nowhere
I'd rather just give up the Internet if THIS is going to persist -
anyway, I believe that it can in fact open the door to allow
anything in ...so how on earth do I shift it after trying all this ?
Unlocked SysRestore just in case something was in there, nothing,
so I've now lost all my Restores too !!! and still no better off.
No problems in going into the Register but again, try as I may I
cannot find any clue as to WHERE is the kick-off...well, I DO find
the entry in 'Exolorer-Main' key , but that's obviously not where
it's triggered..as I change that but iyt just comes back.
It's thanks or gooodbye mates - I've about had it !

--
EJN

--
Stinson
C-750, D-40, B-300, Nikon 4T macro, PS CS
http://www.StinsonsTerra.StinsonsC750Gallery.PhotoShare.co.nz
http://www.photosig.com/go/users/view?id=64739

 

[EJN]

Nice of you to enquire -

Well, the position is that I think I've used just about every program I either had or has been suggested, and NONE have come up with a definite clearance...or more frustrating, any indication of the source-file and/or location that sparked it all off.

After trying a lot , I finally found by chance a way of 'blocking' access in the Register to the keys that log the Start/Home/Local pages...and that INSTANTLY stopped it changing Home page. I still got the message via Spy Weeder (excellent prog by the way) that my Home page had "been changed" and offered to revert it to what it should be...but there was NO ENTRY for the change in the Spy Weeder message onscreen..."the thing" THINKS it has changed it , but it hasn't , because of my Register block.

However on the strength of that message (which I never see now as I just requested the prog to do it and not screen it) - I can only assume that the original culprit is still lurking, but not able to do anything.

The reality is that my Home page now comes up regularly every time as norm, never quivers, and I use the computer just as though nothing is wrong, so on the strength of that it seems right now it's not worth the hassle to even think of a re-install or anything disastrous. Lord knows what work that would cause me and why I leaned over backwards to avoid.

Puzzle is - why does NO prog AT ALL , for the purpose, do anything or say anything. They all tell me I've got a clean machine, and after sweeping with about 4 programs at least it ALL comes up with NO result, apart from the odd Spyware/Adware type , relatively harmless and which my progs clear off anyway to stop any accummulation.

EJN

 

[Hooligans Imagery]

As I recall the person that had the problem awhile back I read that the culprit was a file in the system directory that was mislabled. So instead of it being an .exe it was a .dll or something like that. The item has a fake file extension I guess. Good luck.
--
Stinson
C-750, D-40, B-300, Nikon 4T macro, PS CS
http://www.StinsonsTerra.StinsonsC750Gallery.PhotoShare.co.nz
http://www.photosig.com/go/users/view?id=64739

 

[EJN]

As I recall the person that had the problem awhile back I read that
the culprit was a file in the system directory that was mislabled.
So instead of it being an .exe it was a .dll or something like
that. The item has a fake file extension I guess. Good luck.
--
Stinson

I had an excellent tip from someone to look in Windows+system+sys32 dirs to see if I could spot a file with a creation date/time to match the start of the problem - as I know almost for certain exactly when it started - within 30 mins or so of 5pm on 30th May - but I've just looked yet again to be sure and there's NOTHING. Plenty that were new and created LATER than evening..those would surely be what came from a variety of NEW progs I was then adding from recommends, after running my own that were already pre-logged...all others that day are around the 11pm slot , give or take an hour or two...when I WAS using/adding new progs...but NOTHING to pin down to that 5pm slot.

Pity the 'Search' on this Forums site is so poor - you just seem unable to get anything that goes back as far as you ever seem to want - and of course this Oly one moves like lightning .. anything about a week old can be 15 or so pages back !!! so finding anything a month or more ago is hopeless. Did a lot of Google searches in other similar Forums on such trouble but again, no clue. They all said CWShredder had cleared it , fine...it does NOTHING for me except say I'm clean !!
--
EJN

 

[EJN]

Decided to try a search again (this Forum) and put in 'hijack homepage' - it found just TWO entries...one of which...
http://forums.dpreview.com/forums/read.asp?forum=1008&message=6448356

Tried the Register search for 'searchweb' andit DID find a couple of entries...but they were as left in a sub-Key for what seems just a record of 'Runs' - I don't think it does much except keep a record. There is though , in one sub-Key in the Register ..called 'Domains' ...under something or other...and it literally is the record of all the domains the computer can look in as it wishes, covereing it seems pretty near anywhere you've been...a sort of Registry Cookies. I'm half inclined to delete THE LOT , then re-enter the 'Domains' sub-key (then empty) for following use, as I suppose it can be helpful for a lot of genuine reasons...but it DID hold the searchweb etc and a few others I'm not happy with. I think I did clear Searchweb before, on the note of some other Google Forum note, but you know how these things multiply themselves like rabbits so ANY entry can be resurrected easily it seems. Most seem to have TWO locatons and if you only delete one, it comes back from the other. So-and-so !!!

As I recall the person that had the problem awhile back I read that
the culprit was a file in the system directory that was mislabled.
So instead of it being an .exe it was a .dll or something like
that. The item has a fake file extension I guess. Good luck.
--
Stinson

I had an excellent tip from someone to look in Windows+system+sys32
dirs to see if I could spot a file with a creation date/time to
match the start of the problem - as I know almost for certain
exactly when it started - within 30 mins or so of 5pm on 30th May -
but I've just looked yet again to be sure and there's NOTHING.
Plenty that were new and created LATER than evening..those would
surely be what came from a variety of NEW progs I was then adding
from recommends, after running my own that were already
pre-logged...all others that day are around the 11pm slot , give or
take an hour or two...when I WAS using/adding new progs...but
NOTHING to pin down to that 5pm slot.
Pity the 'Search' on this Forums site is so poor - you just seem
unable to get anything that goes back as far as you ever seem to
want - and of course this Oly one moves like lightning .. anything
about a week old can be 15 or so pages back !!! so finding anything
a month or more ago is hopeless. Did a lot of Google searches in
other similar Forums on such trouble but again, no clue. They all
said CWShredder had cleared it , fine...it does NOTHING for me
except say I'm clean !!
--
EJN

--
EJN