May 2009 Archives

Thanks for providing the smitRem tool, it was great at getting rid of the installed program and pop-up.  After running it though, my display still stays with the basic blue background.  If I try to change the wallpaper in display settings, I cannot select any of the patterns and the scrollbar does not move.  I think that the "desktop" tab of the display settings has been faked somehow.  The various files like 'aquarium, ascent' aren't actually .bmp's in the Windows directory.  This is the same problem that I noticed before I ran smitRem.  I have used webshots for wallpaper and while that runs fine, it does not change the wallpaper image either.  Is there something else that I still have to remove?

Here is a shot of the desktop settings that I am talking about.

Answer:

http://www.freecomputeradvice .net/downloads/fixreg.zip

Will that solve that, just download and run those to items. You may have to restart. 

I came across a particularly nasty virus lately and I wanted to share some techniques on how to remove this virus and other virus programs that work the same way. The customer came in and said his laptop was running slow and thought he may have a virus. First things first, run HiJack this and remove anything that looks suspicious, restart and run it again and find all the ones I just removed that came back. This is common, you remove them; they come back, so I make a note of those files and restart into Safe Mode and then manually delete those files. Ok done; however upon restarting I still have pop up advertisements.

 I run SysInternals Process Manager to view all processes currently running on the PC and I find nothing out of the ordinary. Very strange. This is where things start to get confusing, how are these advertisements showing up if no running processes are creating them?

 Tis is a good time to introduce another tool by SysInternals; File Monitor. This program will show you a running list of all the files that are currently being accessed by the operating system. Now we can get a clear picture of not only the running processes itself but the files that are being accessed. If you look at the screen shot below you will see one file in particular that looks suspicious, fccax.dll. It appears over and over again, a quick Google search reports that is in fact SpyWare. So now what? Lets delete it. However we cannot delete it now because it is in use, restarting into Safe Mode won't work either, its still in use. Insert your Windows XP CD and boot to it, at the first screen hit 'R' and get into the recovery console. Now you can delete the file.

If you are having issues with your hard drive or have corrupted files, its a good idea to boot into the Recovery Console and run a hard drive scan. The advantages are this does not require you to boot into Windows. So if your computer is unable to boot into Windows; don't worry.

If you have the Recovery Console installed

If your PC has the Recovery Console already installed whether you did it yourself or it came from the manufacturer that way. When your computer first turns on hit the F8 key every second. When the menu comes up; look for 'Boot using Recovery Console'. If you see it great, click on it and lets get going.

If you do NOT have the Recovery Console installed.

Ok no big deal. Insert your Windows XP Home or Professional CD in and restart your PC you should see 'Press any key to boot from CD...' click any key, any one will do. At the first menu hit 'R' for Repair. It may ask what version of Windows to boot into you probably want to choose the one that says C:\WINNT. It will ask you for the administrative password, you will need to know that.

Once you are in type

chkdsk /r

It will run and hopefully find and repair your hard drive errors. If it says 'Your hard drive contains one or more unrecoverable errors' you may have to replace your hard drive. 

Many times to troubleshoot a computer problem it can be much easier if the technician can see the exact error message that you are seeing. Luckily for us Windows XP comes with a way to do just that. If your computer can send email with Outlook or Outlook Express then you can very easily send a screen shot.

When you see the error message click the 'Prnt Scrn' button your keyboard, then create a new email message, address it to the person you want to see the error. Now in the message body text, just click your cursor there and hit CTRL+V to paste the picture.

That's it! The screen shot that was captured when you hit PrntScrn is now pasted in the message, you can now send. Hopefully the technician can help. 

Upon running HiJack This you will get to the screen shown below. Want you want to do here is click on 'Do a system scan only'. This will scan your PC for startup programs, located in the registry, startup folders, etc. Basically this will return a list of programs that start when your computer starts up. We want to see this information so we can identify bad things and remove them.

We will now have a screen similar to what is shown below. This is where it gets a little difficult because bad programs don't exactly pop up and say 'I'm bad, remove me'. However some of them do give good clues. Here are a few.

• Some SpyWare programs hide themselves as a 'search bar' of some sort, so the location will be C:\Program Files\SuperCoolSearchBar
• Some SpyWare programs have random names and live in the system32 directory, for example C:\Windows\System32\ajeiej2la.exe
• Static entries in the host file is typically bad, shown below. Remove them.

Keep in mind these are only a few and you have to be careful not to remove something you need, because unlike msconfig there is no going back after you remove an entry.