Malicious Script



New York Knick
07-09-2005, 11:49 PM
Hi. I'm a newbie here and pretty much a computer novice so please bear with
me. I have a malicious script on my computer that I don't know how to remove.
I've tried ad-aware, Microsoft AntiSpyware and the Microsoft malicious
software removal tool but it's still on my computer. Norton AntiVirus hasn't
been able to get rid of it or even quarantine it, it just recommends to stop
running it. It identifies the thing as:
C:\documents and setup\all users\start menu\programs\startup\dceg.hta
Activity: Create TextFile
Object: FileSystem Object
I would really appreciate any advice on how to get rid of this annoying
thing that has made my computer incredibly slow and compromised its security.

New York Knick
07-09-2005, 11:49 PM
I forgot to mention that I have Windows XP SP2.

"New York Knick" wrote:

> Hi. I'm a newbie here and pretty much a computer novice so please bear with
> me. I have a malicious script on my computer that I don't know how to remove.
> I've tried ad-aware, Microsoft AntiSpyware and the Microsoft malicious
> software removal tool but it's still on my computer. Norton AntiVirus hasn't
> been able to get rid of it or even quarantine it, it just recommends to stop
> running it. It identifies the thing as:
> C:\documents and setup\all users\start menu\programs\startup\dceg.hta
> Activity: Create TextFile
> Object: FileSystem Object
> I would really appreciate any advice on how to get rid of this annoying
> thing that has made my computer incredibly slow and compromised its security.

Malke
07-09-2005, 11:49 PM
New York Knick wrote:
> Hi. I'm a newbie here and pretty much a computer novice so please bear with
> me. I have a malicious script on my computer that I don't know how to remove.
> I've tried ad-aware, Microsoft AntiSpyware and the Microsoft malicious
> software removal tool but it's still on my computer. Norton AntiVirus hasn't
> been able to get rid of it or even quarantine it, it just recommends to stop
> running it. It identifies the thing as:
> C:\documents and setup\all users\start menu\programs\startup\dceg.hta
> Activity: Create TextFile
> Object: FileSystem Object
> I would really appreciate any advice on how to get rid of this annoying
> thing that has made my computer incredibly slow and compromised its security.

You need to do all your scanning work with updated tools in Safe Mode.
Also, make sure your NAV is a current version using updated virus
definitions.

To get to Safe Mode, repeatedly tap the F8 key as the computer is
starting. This will get you to the right menu to choose Safe Mode. Then
go through these general malware removal steps:

First delete all Temporary and Temporary Internet Files. For IE's
Temporary Files, go to Control Panel>Internet Options>General tab.
You'll see where you can delete cookies and files. For Firefox, clear
its cache by going to Tools>Options>Privacy>Cache> Clear. For Windows
Temporary files, Start>Run cleanmgr [enter]. Then follow these detailed
malware removal steps, doing everything with updated tools in Safe Mode.
You can find all the links to referenced programs and sites on my
website here:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not install
the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See the links on my
website for a HijackThis tutorial and places where you can post your HJT
log. Again, this is an expert tool and novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the Restore
Points. With ME, you must disable System Restore completely. With XP,
you can delete all but the most recent (presumably clean) System Restore
point from the More Options section of Disk Cleanup (Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

New York Knick
07-09-2005, 11:49 PM
The problem has been fixed. Many thanks.

"Malke" wrote:

> New York Knick wrote:
> > Hi. I'm a newbie here and pretty much a computer novice so please bear with
> > me. I have a malicious script on my computer that I don't know how to remove.
> > I've tried ad-aware, Microsoft AntiSpyware and the Microsoft malicious
> > software removal tool but it's still on my computer. Norton AntiVirus hasn't
> > been able to get rid of it or even quarantine it, it just recommends to stop
> > running it. It identifies the thing as:
> > C:\documents and setup\all users\start menu\programs\startup\dceg.hta
> > Activity: Create TextFile
> > Object: FileSystem Object
> > I would really appreciate any advice on how to get rid of this annoying
> > thing that has made my computer incredibly slow and compromised its security.
>
> You need to do all your scanning work with updated tools in Safe Mode.
> Also, make sure your NAV is a current version using updated virus
> definitions.
>
> To get to Safe Mode, repeatedly tap the F8 key as the computer is
> starting. This will get you to the right menu to choose Safe Mode. Then
> go through these general malware removal steps:
>
> First delete all Temporary and Temporary Internet Files. For IE's
> Temporary Files, go to Control Panel>Internet Options>General tab.
> You'll see where you can delete cookies and files. For Firefox, clear
> its cache by going to Tools>Options>Privacy>Cache> Clear. For Windows
> Temporary files, Start>Run cleanmgr [enter]. Then follow these detailed
> malware removal steps, doing everything with updated tools in Safe Mode.
> You can find all the links to referenced programs and sites on my
> website here:
>
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> 1) Scan in Safe Mode with current version (not earlier than 2004)
> antivirus using updated definitions.
>
> Before you remove malware, get LSPFix or WinSockFix for XP - see links
> below.
>
> 2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
> programs are free, so use them both since they complement each other.
> There is a new version of CWShredder from Intermute. I would not install
> the other Intermute programs, however. Alternately, there are
> CoolWebSearch malware removal steps at SilentRunners.
>
> Be sure to update these programs before running, and it is a good idea
> to do virus/spyware scans in Safe Mode. Make sure you are able to see
> all hidden files and extensions (View tab in Folder Options).
>
> If the malware remains even after you used Ad-aware and Spybot, you can
> scan with HijackThis. HijackThis is an excellent tool to discover and
> disable hijackers, but it requires expert skill. See the links on my
> website for a HijackThis tutorial and places where you can post your HJT
> log. Again, this is an expert tool and novices should get help with it.
>
> 3) If you are running Windows ME or XP, you should disable/enable System
> Restore after the system is clean because malware will be in the Restore
> Points. With ME, you must disable System Restore completely. With XP,
> you can delete all but the most recent (presumably clean) System Restore
> point from the More Options section of Disk Cleanup (Run>cleanmgr).
>
> 4) Make sure you've visited Windows Update and applied all security
> patches. Do not install driver updates from Windows Update.
>
> 5) Run a firewall.
>
> Malke
> --
> MS-MVP Windows User/Shell
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"
>


Malicious Script