32 replies to this topic

[uneekname]

That still didnt work... I double clicked it many of times..(I did save as All files as well)... I seem to have got this under control now and I dont know why I didnt think of it way before this headache, I just installed a different firewall and shut down all ports except the one I need to connect.. I'm on and removing what ever it is that caused all this mayhem... Thanks for all you help and support... wouldnt have gotten it with out ya.

[uneekname]

Okay cant seem to remove what spybot found... WWWSEARCH.Boot.conf.... I have tried CWShreddar and it says it does not find this on my system... However when I try to do updates on spybot my registry protection I put on it say my home page is trying to be changed.... Hmmm.. well I'll try some other proggies to see if they wont it/..

['KotaGuy]

Ok... lets try this differently.

Hit Start>Run, type in regedit, hit Enter. Browse to the HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root key. Delete the legacy.tbpssvc and legacy_wintoolssvc entries(right click, choose delete, or delete from the Edit menu).

Download Mwav. Run it, update it, do a full system scan. This tool will only detect, it won't clean. So I will need you to go through the resulting log and copy/paste any infected entries(full registry path or filename path included) into a reply here.

Edited by 'KotaGuy, 12 April 2005 - 09:03 AM.

[uneekname]

legacy.tbpssvc or legacy_wintoolssvc are not there in registry.

['KotaGuy]

Did you do the Mwav scan? If so, did it find anything?

[uneekname]

this is what Micro world found: Tue Apr 12 11:19:34 2005 => Scanning File C:\WINDOWS\NDNuninstall6_38.exe Tue Apr 12 11:19:47 2005 => File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

['KotaGuy]

Thats a leftover from a New.Net infection.... how did you get rid of New.Net? Through Add/Remove Programs or with their uninstall process described on their website?

Try something for me... go here. Run through the steps for procedure #4.

Run a Spybot scan after rebooting... let me know how it goes.

[uneekname]

I believe its gone. spybot didnt recognize anything... Ya I found info a couple of days on how to remove the New.net... Let me try something real quick.. BRB

[uneekname]

I ran Adaware also and it was clean then an online scan it was clean spybot it was clean AND THEN the reboot and it's still there!!!!

['KotaGuy]

Mmmm... what is still there?

NDNuninstall6_38.exe?

If so... search for and delete the file.

[uneekname]

the CoolWWW.Search.Bootconf is still there... I did not see the NDNuninstall6_38.exe. Wait yes I do.. NDNuninstall6_38.exe is still there too!!!

Edited by uneekname, 12 April 2005 - 01:24 PM.

['KotaGuy]

Did you try deleting NDNuninstall6_38.exe? The CoolWWW.Search.Bootconf is strange... can't find any info on it. And the only thing that is detecting this Spysweeper? Might be a false positive. Is the computer still having the same original problems? Is is exhibiting any other problems? Can you remember what infections were on the computer in the first place? Nothing in your logs have pointed to anything serious, so if it is still doing the same thing.... Have you checked the DNS settings on your computer? Made sure they coincide with what you ISP has detailed? Have you tried manually entering the IP's of your ISP's DNS servers into your configuration?

[uneekname]

okay first, I am finally on the internet so there is no problem there. I have found out that the coolwww.search.bootconf is a varient of the vx2 cwshredder. I am not running spy sweeper any more. Spybot is picking this up.And I dont think it is a false thing cause why after all the stuff you told me to do that it was gone but then when I rebooted it was back and spybot was going off saying If I want to allowmy home page to be changed to "blank" or not....So I dont let it.. And I have tried to delete the NDNuninstall6_38.exebut can't seem to keep it gone. When you told me to Hit Start>Run, type in regedit, hit Enter. Browse to the HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root key. Delete the legacy.tbpssvc and legacy_wintoolssvc entries(right click, choose delete, or delete from the Edit menu), those 2 entries were not there in the registry...

['KotaGuy]

OK... internet problem gone... good!

Gonna get you to try something else for me!

Make sure no files are hidden. To do this:

1. Click Start.
2. Open My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Click OK.

Download CWShredder. Save it to its own folder. Run the program, update it, press Fix.

Download Killbox. Extract(unzip) it to its own folder.

Disconnect from the internet... unplug the cable to your modem if need be.

Close all open windows and programs, then start Killbox. Put a check next to "Delete on Reboot", then copy this line in "Full Path of File to Delete" box:

C:\WINDOWS\NDNuninstall6_38.exe

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "Yes" at the second promt to reboot.

Let me know how it goes.

[uneekname]

Guess what it's GONE!!!!! There is however 86 errors during scan and this---->ue Apr 12 16:37:10 2005 => File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken. I dont think it is a serious thing but dont know why that came up like that. MIRC isnt used very much.