Spyware, Viruses, & Security forum

General discussion

Need some advice

by Fish / February 16, 2004 12:30 PM PST

Im trying to help out a friend with puter problems.She started having problems right after her grandkids used her puter.Small problem is she can no longer load her games and is lost without them.I went to check it out and found many problems.I got rid of the easy stuff
ie,gator,alexa and such but found 3 big problems.
1.Klez =worm
2.n-case =parasite
3.Loader.exe =
I downloaded the removal tool for klez but need to know how to boot to safe mode in XP to use it.
Also need advice on removing the others.
All I can tell for now is its a Dell using XP with aol dial up.
Oh,I did run spybot and adaware.Thank's for any help in advance.

Discussion is locked
You are posting a reply to: Need some advice
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Need some advice
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re:Need some advice
by Marianna Schmudlach / February 16, 2004 12:46 PM PST
In reply to: Need some advice

Safe mode on XP:

When the Operating System first starts (after the power on self test), press the F8 key on your keyboard. This will display a menu on a black background, which has an option called "Safe Mode."

Klez =worm
W32.Klez Removal Tool http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

n-case =parasite
http://www.doxdesk.com/parasite/nCase.html

loader - loader.exe - Process Information
Process File: loader or loader.exe
Process Name: Loader
Description: Application that hijacks a user?s home page and redirects the browser to coolwwwsearch.com.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

Pls. let us know how you are doing !

Collapse -
Fish, This Should Help
by Grif Thomas Forum moderator / February 16, 2004 12:55 PM PST
In reply to: Need some advice

Whenever removing spyware/virus on Windows XP, use temporarily disable system restore, then restart in Safe Mode, then run the removal tools:

To disable Windows XP System Restore:

1. Click Start.
2. Right-click on the ?My Computer? icon, and then click Properties.
3. Click the "System Restore" tab.
4. Check "Turn off system restore" or "Turn off system restore on all drives". Click on Apply, etc.


How to Start In Safe Mode
Restart the computer, pressing the F8 key once per second, till it loads a selection screen. Use the up and down arrows to select "Safe Mode", press enter, and the computer will load into a safe mode. It looks like a normal screen but with Safe Mode in each of the four corners. When you?re done, restart the machine and it will boot normally.

To clean out many viruses, including Klez, download and run while in 'Safe Mode':

McAfee Stinger Tool
http://vil.nai.com/vil/stinger/

A link for manually removing N-case:

http://www.doxdesk.com/parasite/nCase.html

And this is probably the "loader.exe" problem you have seen:

http://www.symantec.com/avcenter/venc/data/downloader.tooncom.html

Try running an online scan from the link below or run Spybot or Ad-Aware:

Panda Online Scanner
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Hope this helps.

Grif

Collapse -
Re:Fish, This Should Help
by Fish / February 16, 2004 9:22 PM PST
In reply to: Fish, This Should Help

Grif and Marianna, ty for your replys.I have printed the instructions and will try them.I do have one more question before I start.Would using system restore take care of this situation since the problem only started about a day and a half ago?My tech talents are very limited so I need to try easiest resolutions first.I figure the only dumb question is the one not asked.:-)

Collapse -
System restore might not work...
by Gakada / February 16, 2004 11:03 PM PST

because the virus etc. might have been there longer than you think...

Good Luck

Collapse -
Fish, Even If You Used System Restore..
by Grif Thomas Forum moderator / February 17, 2004 2:44 AM PST

....you would still need to check for the problem files and programs that you have mentioned. Although the System Restore "might" fix the issue if all of the "bad stuff" was installed at the same time, there's no way to know that they're completely gone without running the same tests/checks. It's up to you.

The tests that we have suggested aren't too difficult and should get the job done. If not, post back.

Hope this helps.

Grif

Collapse -
Re:Fish, Even If You Used System Restore..
by Fish / February 17, 2004 8:30 AM PST

Right you are Grif.I decided not to use the restore.I did spend a few hours on that puter today with no success.I booted to safe mode and ran spybot and ad-aware.Spybot found and got rid of 4 files.Ad-aware cameup clean.I then ran housecall and ended up stopping it after running for an hour and thirty five minutes.It scanned at that point 33350 files and found 484 infections.Of those 470 were Klez and uncleanable,12 were pe elkern.d which were cleaned.One was called adw scanporta and not cleaned.The last one is called messenger service and keeps popping up porn messages.With almost all of them being klez I rebooted to safe mode after disabling system restore and tried running klez removal tool from symantec.I tried 3 times and each try was aborted with the message whisk program or file deleted.Reboot and run program again which I did with same result each time.I forgot to write the exact word but it was whisk or wink.Tomorrow I will write it down.Tomorrow I will go back and try some more.

Collapse -
Messenger Service
by Marianna Schmudlach / February 17, 2004 8:37 AM PST
Collapse -
Re:Messenger Service
by Fish / February 17, 2004 9:03 AM PST
In reply to: Messenger Service

Marianna,ty.This looks like one of the fix's I need.As for patches I doubt if any have been installed since she got the puter.;-( It's been about 3 years with no update,maintanace or Im sad to say an anti virus program.I might be in over my head here.I might not come out on top here but Im sure getting an education with all the help you,Grif,Bob P and others share.Maybe tomorrow I should make all the updates first on the list? And then the free AV I saw listed in here somewhere?

Collapse -
Re:Re:Messenger Service
by Marianna Schmudlach / February 17, 2004 9:12 AM PST
In reply to: Re:Messenger Service
Collapse -
Fish, I've Used The 'Stinger' Tool On Heavy Klez Infections
by Grif Thomas Forum moderator / February 17, 2004 9:15 AM PST
In reply to: Re:Messenger Service

...and it normally works well. Remember to start in "Safe Mode", then run Stinger. Restart the computer into "Safe Mode" again, then run Stinger again. Repeat this till you come up clean.

McAfee Stinger Tool
http://vil.nai.com/vil/stinger/

Hope this helps.

Grif

Collapse -
Re:Messenger Service
by Fish / February 17, 2004 10:03 AM PST
In reply to: Messenger Service

Marianna,thank's for the info.
Grif,I'll use the stinger right after the updates tomorrow.Thank's.This sure is the right place for help.

Collapse -
You're Welcome - glad WE can help ........
by Marianna Schmudlach / February 17, 2004 10:10 AM PST
In reply to: Re:Messenger Service

and let us know how you are doing Wink

Collapse -
Re:Re:Messenger Service
by Fish / February 23, 2004 9:35 AM PST
In reply to: Re:Messenger Service

Update!More work to do.Im still at it being an amature but I'll keep at it.
I still have these two files to deal with when I feel ready to use Grifs instructions.
c:\program files\america online7.0\download\end.zip\end.src and c:\program files\America online7.0\download\false.zip\false.exe
both are w32 klez.h@mm the stinger found.
So far I have run spybot,ad-aware,stinger and housecall,and have removed a ton of crap.Today I installed AVG and it found a trojan named secondthought
c:\programfiles\commonfiles\slmss\slmss.exe.Could'nt remove it but did isolate it for now.Installed zone alarm.I did forget to run scans in safe mode today but will do that tomorrow when back at that puter and maybe that will help with the trojan.It seems a vicious circle but maybe now with the AVG and firewall in place it will settle down.I can't belive with all I've cleaned up that I still can't get any games to load in yahoo or aol.Everything else is fine with this puter.I even downloaded java thinking the kids may have deleted a shared file somehow,but no luck there.
Can one of the afore mentioned files or trojan cause this problem?

Collapse -
Fish, You've Got Things Rolling Now
by Grif Thomas Forum moderator / February 23, 2004 12:36 PM PST

Restart the computer into "Safe Mode", then run another full system scan with AVG. Hopefully, it will get rid of the trojan, and the other files, but if not, use my previous instructions to attempt their removal using a command prompt window. The same type of commands can be used to delete the "slmss.exe" file, if you can't do it the normal way of RIGHT clicking on the file, choose "Delete" while in "Safe Mode".

Keep up the good work.

Grif

Collapse -
With that many invections, and 3 yrs without update and AV...
by Gakada / February 17, 2004 11:53 AM PST

I guess its time to reformat the PC anyway...

So, I suggest you consider the Reformat and do a Clean install...

But, I wish you luck with the repair step...

Collapse -
Re:With that many invections, and 3 yrs without update and AV...
by Fish / February 17, 2004 9:56 PM PST

Gakada, you may very well be right but I think I have a shot at repair with all the info from the great tech's on this site.Also,Im really getting some great education from trying all the solutions they offer.Once again my hats off to all of you for your time and efforts.Im going back at that puter this morning armed with new ammo from this site.I will post any results later tonight.

Collapse -
Re:Re:With that many invections, and 3 yrs without update and AV...
by Fish / February 18, 2004 4:28 AM PST

hi,well Im at the beast as I type.I did turn off the messenger service.I did run the Stinger with good results.I was able to clear all in fection but two.
c:\program files\america online7.0\download\end.zip\end.src and c:\program files\America online7.0\download\false.zip\false.exe
both are w32 klez.h@mm the stinger found
539 infected files 8 files repaired 535 deleted but can't handle these last two.:-(
I also had trouble with patches and updates.I tried twice to install sevice pack 1 with no luck.The download progress bar went smooth and easy but after that I waited an hour and a half and it never started the install.Tried it twice and failed.Also would like to know how to activate fire wall on xp.Please.TY

Collapse -
Fish, you are doing great!!!...
by glenn30 / February 18, 2004 5:28 AM PST

I have been following your progress. For the XP Firewall go to Windows Help and type "Internet Connection Firewall (ICF)" where you will find instructions. Simple but at the moment I do not remember.

Good luck in cleaning the computer... be sure to install an Anti-Virus program and update the reference files.

Happy

Glenn

Collapse -
P.S.
by glenn30 / February 18, 2004 5:33 AM PST

Maybe you could download that SP-1 and save to disk. Perhaps it would install from there. I have the Service Pack saved to a CD-R for use in a crash or other emergency.

Happy

Collapse -
Re:Re:Re:With that many invections, and 3 yrs without update and AV...
by dawillie / February 18, 2004 5:39 AM PST
both are w32 klez.h@mm the stinger found

every AV or just about have a Klez removal tool you can download and run.

if you unable to find any please post back and one of us will supply a link.

david williams
Collapse -
Fish, Good Job So Far...More Info
by Grif Thomas Forum moderator / February 18, 2004 5:53 AM PST

In Windows XP, to delete those files, try restarting the computer into "Safe Mode", then open a command window by clicking on Start-Run, type "cmd" (without the quotes), then click on OK. When the command window opens, make sure we're at the same starting point by typeing this:

cd \ (leaving a single space between the cd and the backslash, then press the "Enter" key.)

You should now see: C:\> so now type so it looks like this:
C:\>cd program files\america online7.0\download (leaving a single space between the cd and program, then press the "Enter" key.)

It should now look like this:

C:\>Program Files\America Online7.0\Download>

Now type so it looks like this:
C:\>Program Files\America Online7.0\Download>del false.zip (then press the "Enter" key) If it correctly deletes the file, it will simply return to:

C:\>Program Files\America Online7.0\Download>

Now type so it looks like this:
C:\>Program Files\America Online7.0\Download>del end.zip (Then press the "Enter" key).

If the files are deleted correctly, then you can close the command window.
_______

To use the Windows XP firewall, here is a good link:

Use the Internet Connection Firewall
http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp

Hope this helps.

Grif

Collapse -
Fish - Keep Up The Good Work !!!

.

Collapse -
Re:Re:With that many invections, and 3 yrs without update and AV...
by Fish / February 18, 2004 7:58 AM PST

ok,my remaining tasks are to install the anti virus and activate the firewall which will be easy.

I will try downloading the SP1 on my puter and try to save to disk and then try to install on the problem puter.

Grif, Im leaving your instructions for deleting those two remaining files till last as I am very intimidated when it comes to using CMP and typing commands as I have never done it or seen it done.I will give it a shot though.

As for the original problem I reported Im doubting that it will be fixed after all this very much needed work.I think it may need a different solution.Anyone care to give an opinion on this?

Collapse -
Re:Fish, Even If You Used System Restore..
by Fish / February 24, 2004 8:58 AM PST

Whew!and a great big THANK YOU to all that posted on this problem especially Marianna and Grif Thomas.Grif I was ready to give up but you gave me the encouragement to follow through.Thank's!! I have gotten rid of all the many bad guys and got the programs working for my friend and she is one happy camper.I gained a whole lot from the advice you all gave.A great site with great advisors.Bob Profitts (tool box)also is a must have.:-) >))))*>

Collapse -
(NT) Way To Go Fish ! We're Certainly Glad To Help
by Grif Thomas Forum moderator / February 24, 2004 9:15 AM PST

.

Collapse -
Fish - GREAT Job you have done !! Thumbs Up :)
by Marianna Schmudlach / February 24, 2004 9:32 AM PST

.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.