Need help with XP startup

[EarlyMon]

Ok, I have a bad one.

Recently, my elderly mom got the XP Antivirus 2011 malware. I got that solved via the web, and found she had no working anti-virus, so I got here going with Avast and cleaned up a lot of stuff.

She is running XP Home Edition - and she lives clear across the country, no one to help.

So - at startup, she is being faced with an IE page saying the suggested web page can't be found and maybe it's a network problem (that she insists on believing and wanting to read me 6 year old HP user guides on networking - bless her, in her 80s she is).

She was also getting failure to launch a corrupted Yahoo messenger.

Neither show up in any of the account startup folders - I had here clear those out and she still got those two.

I then had her install Windows Defender and disable Yahoo Messenger on startup - that worked.

But the mysterious IE window remains - no address bar of course - and no way to get her to read off the list of processes in a way that makes sense from Task Manager when it's up (TM just shows the error window in the apps tab).

I wanted to try Remote Desktop - except - XP Home Edition doesn't support RD thru DSL.

I've tried going thru the entries in msconfig files - nothing bad there.

I've tried System Configuration Info but ultimately, every process listed for startup is a known process name, checked against blacklists by me, located in the correct places, and already virus scanned. If I have her uncheck everything in System Config Info and restart in diagnostic mode, the problem disappears.

So - I'm guessing that leaves the registry?

Any good, totally free registry cleaners out there I can trust?

Any suggestions where else to try to look for startup stuff under the circumstances?

Any chance of getting Remote Desktop working on XP HE thru DSL (the rest of the web says no, but I'm asking)?

Anyway - thanks and HELP!

 

[SUroot]

You dont need RDP, you can sign up for a free logmein.com account. You'll need to sign yourself up as a dummy run to document it (including downloading the plugin) and then you can talk your mother through doing the same. Once she has an account and downloaded the plugin, she can create a secondary account and password. You go to the site, log in and can connect to her PC via your browser.

Last time I used it, the web site wasnt amazingly intuitive which is why I suggest you go through all teh steps yourself first and document it.

May sound obvious, but its definitely worth cleaning down any temp folders as things like this can manifest there.

I dont personally think it will be in the registry. If it is, it may be in something like:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

May be worth also running:
Advanced SystemCare Free - Free software downloads and software reviews - CNET Download.com

and:
CCleaner - Free software downloads and software reviews - CNET Download.com


Its been a while since ive cleaned a registry, but Its always worth browsing cnet by editors ratings. Just try to look out for "Sponsored matches" which appear even if you only tick "free". You can see in the left hand pain if there is a prioce as these scan but not clean.

 

[TxGoat]

Since she's already using AVG AVG Free | PC Tuneup | Registry Cleaner, File Recovery, Internet Accelerator | Worldwide

Also, you can try getting her to download something like Chrome or Firefox and removing IE (and re-installing if you must, granted I like having a 2nd and sometimes 3rd browser as backups). I've actually had to remote into an accountant's computer who was using dial-up and it was painfully slow. Granted the remote desktop tool we were using was an adobe system that wasn't free, but it let me dial down the image the lowest resolution B&W that I could while still seeing everything on the desktop.



How do I uninstall or remove Internet Explorer as a troubleshooting step?

PC Hell: How to Remove About:Blank Homepage Hijacker

This is very similar in characteristics to the random dll hijacker also known as HomeSearch Hijacker that came out around the same time. The key to the hijack is a hidden dll file that is connected to a BHO (Browser Hijack Object). This hidden dll file shows up in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Unfortunately removing this About:Blank hijacker can be difficult. Its a very persistent problem that can return quickly if it is not removed carefully.

How do I Remove the About:Blank homepage hijacker?

There are three basic proven methods that help remove this pesky hijacker, a manual one, one using vbscripts and an automatic one used by a spyware removal program.

MANUAL METHOD

The manual method of removing the About:Blank hijacker is probably the most difficult, since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this particular program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.

Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file

Secondly, use the Windows Recovery Console in Windows XP to rename the file.

Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below
Type cd \windows\system32 and press Enter
Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite
ATTRIB -R hidden.dll

Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
RENAME hidden.dll badfile.dll

Type Exit and press Enter to Reboot Windows
ALTERNATE ACCESS TO RECOVERY CONSOLE

If you have Internet access still, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any autostart menus.
1) Log onto the Internet
2) Click on the Start button
3) Click on Run
4) Type the following in the RUN line and Press Enter

D:\I386\WINNT32.EXE /CMDCONS

Make sure you use your CD Drive letter in place of the letter D above

5) The computer will start to install the Recovery Console and add it as a boot option.
6) Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and you should have the following option available to choose

MICROSOFT WINDOWS RECOVERY CONSOLE

7) Choose your Windows Installation, usually by pressing 1 and pressing Enter.

You'll have to enter the Administrator password to gain access to the Windows Recovery Console. If you do not know your Administrator password, you may try the procedure to help with a bad or unknown Administrator password.

FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD

1) In Windows, click on Start, Run, and Type REGEDIT
2) Click on the plus signs (+) next to the following keys

HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS NT
CURRENTVERSION
SETUP
RECOVERY CONSOLE
3) Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK

4) Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD

Next, Remove the hidden.dll file from the registry

Open RegLite.exe and navigate to the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Double-click on the AppInit_DLLs key, delete the name of the dll file in the Value Data field, Apply the Changes and click OK then Exit Registrar Lite.
Edit registry to remove the second file

Run HiJackThis and scan the registry. Check the boxes to remove the entries similar to the following:

R1 - HKCU\Software\Microsoft\InternetExplorer\Main,SearchBar=res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126

The dll file shown in these lines (in this case its called xaiyh.dll) is the second problematic file in the about:blank hijack.

Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer. In Windows XP/2000, you may also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files". This will although you to easily find the dll files to delete them.

Lastly, search for and delete the hidden.dll file found through reglite.exe and this second dll file found using HijackThis.

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the name of the hidden.dll filename you found using Reglite.exe. This file was renamed badfile.dll in our procedure. Search for it and delete it, then repeat this step for the dll filename you found using Hijackthis.
This should completely clean your system of the About:Blank homepage hijacker.

VBSCRIPTS REMOVAL METHOD

A company called Silent Runners has come up with several Visual Basic Scripts used in conjunction with Registar Lite 2.0 to remove the About:Blank version of the CWS Cool Web Search hijacker. You can visit their website and read through the instructions by clicking on the following link:

Silent Runners - CWS Removal Procedure - Use at your own risk!

AUTOMATIC REMOVAL METHOD

A new adware removal program called Adware Away has proven very successful in removing the About:Blank homepage hijacker along with many other hijacker type programs. They have a trial version that is fully functional which allows most people to remove the About:Blank hijacker without having to purchase it. The trial version of Adware Away seems to last between 5 to 7 days before timing out and requiring payment. You can visit their webpage and download a trial of Adware Away by clicking on the following link. You may also purchase the program for $29.95.

I recommend this program for instances where the manual removal methods dont work. Currently there are about 5 variants of the About:Blank homepage hijacker and Adware Away handles all these variants.

Oh and the standard *****I am not liable for any issues that may arise from performing the above steps, nor can any claims be filed against me for the information provided above. By performing any steps mentioned, you are acting on your own behalf...blah blah blah....etc etc etc******

 

[A.Nonymous]

You're making it too complicated. IE won't work because that particular virus sets up IE to be self proxied. With the virus gone, that proxy no longer exists. She needs to go into the Internet connection properties and uncheck the "use a proxy server" option.

Skip the registry cleaners. They're bogus IMO.

 

[johnlgalt]

You're making it too complicated. IE won't work because that particular virus sets up IE to be self proxied. With the virus gone, that proxy no longer exists. She needs to go into the Internet connection properties and uncheck the "use a proxy server" option.

Skip the registry cleaners. They're bogus IMO.

^ this. And I love the part in bold - I'm in the same camp - Bo-gus.

 

[SUroot]

Couldn't disagree more. Although they probably wont fix this issue, I like to have a clean registry like I like to have a clean desktop. I don't like crap all over the place.

Where as they shouldn't be used willy-nilly, its good to remove those broken links to applications that no longer exist.

Maybe one day, applications will uninstall themselves fully. But until then...

 

[andr01d]

I use the free Wise Registry cleaner. They will scan the registry and provide a list of bad or broken items before we choose to delete it. Be sure to select the deep scan option. We can also compact or defrag the registry to make everything boot/work faster. Has been very safe to use - it hasn't messed up any of my various systems over the years. bye.

 

[A.Nonymous]

Couldn't disagree more. Although they probably wont fix this issue, I like to have a clean registry like I like to have a clean desktop. I don't like crap all over the place.

Where as they shouldn't be used willy-nilly, its good to remove those broken links to applications that no longer exist.

Maybe one day, applications will uninstall themselves fully. But until then...

You never see that stuff though and it doesn't affect anything. It's like moving all the furniture every time you vacuum. Sure your living room is technically cleaner if you move the couch around so you can completely vacuum underneath it. If you don't though, the dust simply accumulates under the couch where no one at all can see it. It's out of sight and has no effect on anything. No guest is going to peer under your couch and then go around telling people you have a filthy house. Vacuuming under the couch accomplishes little. Going through the registry and cleaning out orphaned entries is the same way. Accomplishes nothing. So now you have a clean registry (assuming the product you used isn't crap like many of them are). So what. Doesn't make your computer run faster. Doesn't make the computer perform any better. All it does is you now know that you have a clean registry.

 

[TxGoat]

You never see that stuff though and it doesn't affect anything. It's like moving all the furniture every time you vacuum. Sure your living room is technically cleaner if you move the couch around so you can completely vacuum underneath it. If you don't though, the dust simply accumulates under the couch where no one at all can see it. It's out of sight and has no effect on anything. No guest is going to peer under your couch and then go around telling people you have a filthy house. Vacuuming under the couch accomplishes little. Going through the registry and cleaning out orphaned entries is the same way. Accomplishes nothing. So now you have a clean registry (assuming the product you used isn't crap like many of them are). So what. Doesn't make your computer run faster. Doesn't make the computer perform any better. All it does is you now know that you have a clean registry.

haha, I know where someone hides all their dust bunnies....


I personally would rather have a nice and neat registry as well. Windows is too damn temperamental as it is. Why risk it? Then again, if you don't know what you're doing you can really jack your system up.

 

[johnlgalt]

To expand upon A's post:

Unlike what most people think, the registry is not loading into memory until needed. If there a lot of broken links in the registry (to the tune of several tens of thousands) then you might want to start looking at cleaning, but otherwise, you're vacuuming up the equivalent of three individual short hairs in a 25000 square foot room.

This link starts the myth-debunking process - What's the Registry, Should I Clean It, and What's the Point? - including the quotation from Ed Bott (with whom I have absolutely no affiliation, and also with whom I am more in disagreement than agreement most of the time). Of importance is this quotation:

The sad answer, which we covered while debunking performance tweaking myths, is that most of these products are not worth running, and while the better ones won't necessarily kill your PC, they're rarely going to help you a lot either. If you stop and think about it, you'll realize that since the registry contains many hundreds of thousands of keys (or more), removing 50 or even 100 of them isn't going to yield any performance gains.

Then, there is this information from Wikipedia (again, no affiliation, and I had no part in writing the article): Registry cleaner - Wikipedia, the free encyclopedia Of note here are the different advantages and disadvantages.

If you also look at Windows Registry - Wikipedia, the free encyclopedia you can see that the registry mainly stores information as any database does - and the OS, various programs you have installed, etc only come looking for said information in the Registry when they need it - and they don't do a search through the entire registry for the information, they have specific key values they look for and retrieve the information directly from the associate key(s).

Now, I'm not gonna berate you if you clean your registry - more power to you. It's just that in the long run, there is too much for the average user to mess up, b/c registry cleaning programs are not 100% perfect no matter how good the developer(s) is/are, and one slip up can leave you hanging in a very bad way. I consider myself a computer expert, and I've seen what even the slightest misstep can cause a system to do - hell, I've made many of those missteps myself.

 

[A.Nonymous]

haha, I know where someone hides all their dust bunnies....


I personally would rather have a nice and neat registry as well. Windows is too damn temperamental as it is. Why risk it? Then again, if you don't know what you're doing you can really jack your system up.

There's zero risk if you leave it as it is. Broken registry links are not going to jack up your computer. They're not going to slow your computer down at all. Now, way, way, way back in the day (Windows 95/98 era) that might've been true. It's not at all true today. Computers are faster. Hardware is better. Windows is better optimized and the registry is completely and totally irrelevant to 99% of users. The only people who need to do anything with the registry are tech support people and power users as it allows you to tweak the OS at a much deeper level than the vast majority of people even care or notice.

 

[johnlgalt]

The problem arises from when people get malware infections that also use the Registry, and the novice end user starts associating the registry with malware and then starts finding ways to 'optimize' or 'clean' or whatever in order to prevent another malware infection.

that's actually the reason why reg cleaners became so popular back in the day - to help ward off malware as well as remove infections.

 

[SUroot]

The fewer orphoned objects there are, the easier it is for me when I'm looking for other keys. Only slightly perhaps but nevertheless.

I would also like to inform you I am actually allergic to dust

True story. And some furs...

 

[johnlgalt]

Allergic to dust, mold, mildew, and most pollen grains....lol.

That aside, though, a user of your expertise I have no qualms about using a reg cleaner. it's the novice users who get their info from a friend (who also happens to be another novice user) that keep me in business....

 

[TxGoat]

For me it's like some peoples' reaction to bloatware. It's for the most part benign and harmless except for the annoying updates, but I'd just rather not have it there. Yes computers are much more evolved and can run mostly without issue, but why do you want a registry entry that originated via some malware installation? Different strokes for different folks. I'd personally rather have a clean registry for my own peace of mind. It's like changing the oil on a car at recommended intervals or a few thousand miles later. People can argue either position until they're blue in the face. it all comes down to what the driver/enduser is most comfortable with.

 

[EarlyMon]

FWIW - our (my company's) software _does_ clean itself up from the registry on an uninstall.

And I do find value in a tidy registry. A dirty one can be harmless, but I have experienced cases where a virus clean or a poorly maintained machine (I am facing both in this case) can lead to the registry being so tangled that services fail and apps preferences get cross-wired. Proper overall behavior assumes the registry wasn't abused by crapware and viruses. If you think this isn't possible then thank your lucky stars you've never faced it. And I'd forgotten so thanks for reminding me - a bad registry cleaner accomplishes the same thing that some malware does - tangles that can impair services or startup.

In the past when I did want the registry right, I would simply fix it by hand. I would prefer to do that here, or at least see what it really thinks is starting without me having to dance through derivative cartoon interfaces like System Configuration Info. But without proper remote access, my options are limited.

Also appreciate the tip on logmein.com - I thought they were strictly a paid VNC service for phone to PC, etc. I think I'll go ahead and sandbox that whole thing on two machines here.

Appreciate the help and feedback - it's been years since I've had to stare down an improperly maintained Windows box and now it's remote and an HE to add insult to injury.

Anyway - I'll just go on record here: real operating systems do not use Mickey Mouse registries. Ever.

 

[EarlyMon]

And sorry, my extreme bad, for incomplete info in the FP.

After clearing the erroneous blank IE page, everything else seems to run just fine, including IE (if IE can indeed be claimed to run fine).

It's as if something is trying to launch a webpage - I suspect that it's for a malware or crapware advertisement that's been taken down - and then exiting after spawning the web page launch.

It's a total nuisance and is frustrating to an 80+ yr old.

 

[SUroot]

IE can be claimed to run as well as it has ever run

 

[johnlgalt]

FWIW - our (my company's) software _does_ clean itself up from the registry on an uninstall.

And I do find value in a tidy registry. A dirty one can be harmless, but I have experienced cases where a virus clean or a poorly maintained machine (I am facing both in this case) can lead to the registry being so tangled that services fail and apps preferences get cross-wired. Proper overall behavior assumes the registry wasn't abused by crapware and viruses. If you think this isn't possible then thank your lucky stars you've never faced it. And I'd forgotten so thanks for reminding me - a bad registry cleaner accomplishes the same thing that some malware does - tangles that can impair services or startup.

In the past when I did want the registry right, I would simply fix it by hand. I would prefer to do that here, or at least see what it really thinks is starting without me having to dance through derivative cartoon interfaces like System Configuration Info. But without proper remote access, my options are limited.

Also appreciate the tip on logmein.com - I thought they were strictly a paid VNC service for phone to PC, etc. I think I'll go ahead and sandbox that whole thing on two machines here.

Appreciate the help and feedback - it's been years since I've had to stare down an improperly maintained Windows box and now it's remote and an HE to add insult to injury.

Anyway - I'll just go on record here: real operating systems do not use Mickey Mouse registries. Ever.

If you want a great way to manually clean your registry, I humbly suggest David Ching's RegEditX RegEditX - Tweaks for the Windows Registry Editor (REGEDIT) - with Registry Crawler incorporated. I'm waiting for the final release so I can buy it, but I've used both RegEditX and Registry Crawler in the past (RC was 4.5 when last offered as a standalone product, RegEditX 2.0 was the last I used before I found the new 3.0 βetas).

Also, here is a list of online scanners you can run through - I realize that you, EM, probably don't need this, and this list is a bit old, but I'm including it here b/c anyone else reading the thread may benefit from it. I also just now verified each link, they're all active http://www.vistax64.com/network-sharing/173824-slow-internet-vistax32-after-while.html#post805059 is a post I made almost 3.5 years ago for online scanners, plus downloadable software (I think you said she already had AVG) as well as MBAM.

I'm a registered beta tester for MBAM, have been for over 5 years now, and I use the registered version (tester key) that I can do what I want with - I swear by MBAM, M$SE and WinPatrol. my days at CastleCops taught me well - don't overload and make sure that you set exceptions in each scanning program to avoid interfering with other scanning programs. For example, I have MBAM set with exceptions to M$SE, and M$SE set with exception to MBAM....

And sorry, my extreme bad, for incomplete info in the FP.

After clearing the erroneous blank IE page, everything else seems to run just fine, including IE (if IE can indeed be claimed to run fine).

It's as if something is trying to launch a webpage - I suspect that it's for a malware or crapware advertisement that's been taken down - and then exiting after spawning the web page launch.

It's a total nuisance and is frustrating to an 80+ yr old.

Have you tried performing a true IE restore defaults? Internet Options --> Advanced tab --> Reset button....

Also, check the security levels for IE on the Security tab, reset them all to default, and check for any suspicious sites in the trusted sites list.

You might try running SpywareBlaster | Prevent spyware and malware. Free download. to fix any latent problems with IE before actually performing the reset as well. Same with WinPatrol - although the popups may be a bit disconcerting at first for her, if she reads up on WinPatrol and sees Bill Pytlovany's pic, it may make her feel a lot better (probably better than Marcin's pic, the dev of MBAM - he's like 20 lol)

Have you performed a HiJack This! analysis?

IE can be claimed to run as well as it has ever run

Pfft - I run IE 64bit b/c I can, but prefer Mozilla Firefox Nightly 64bit builds b/c of the extreme customization I can perform with it compared to IE. Still, there are sites that require me to have IE, so....

 

[andr01d]

Re: Registry Wipe Out
yaay i just deleted 378 registry items using the latest Wise Registry Cleaner thing. The last time i ran it was in late November. After i hit the Scan button, it showed me a long list of 380 items and i decided to keep/remember 2 items (happens to be typed URLs to some websites). The balance 378 were mostly MRU (most recentlly used list/pointers) for various softwares, some leftover/orphaned stuff from software that i previously uninstallled, some temp/junk stuff from existing software, some URLs that i didn't care about, etc. Anyways i've done this enough times... and i just hit the Start Cleaning button and they went away. They'll be back later!!

Re: My Batch File - Quickie Temp Files Cleaner
Since SSD space is precious i also have a batch file/icon that i pasted on the desktop. A couple of times a week i'll double-click this icon to clear out the temp/junk stuff. (i'm too lazy to manually go to different places to clear stuff... so i just do this once-click roomba clean)
--------------------
filename: delete-temp-files.bat
--------------------
@C:
@Cd\
@cd C:\Users\username\AppData\Local\Temp
del C:\Users\username\AppData\Local\Temp\*.* /F /S /Q
del C:\Users\username\AppData\Local\Temp\* /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.jpg" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.htm" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.html" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.css" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.ico" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.gif" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.xml" /F /S /Q
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\Z6NF0ZXT\*.*" /F /S /Q

--------------------
(i also have another batch file on the desktop to do some other stuff.)

bye.

 

[SUroot]

If you want a great way to manually clean your registry, I humbly suggest David Ching's RegEditX RegEditX - Tweaks for the Windows Registry Editor (REGEDIT) - with Registry Crawler incorporated. I'm waiting for the final release so I can buy it, but I've used both RegEditX and Registry Crawler in the past (RC was 4.5 when last offered as a standalone product, RegEditX 2.0 was the last I used before I found the new 3.0 βetas).

Also, here is a list of online scanners you can run through - I realize that you, EM, probably don't need this, and this list is a bit old, but I'm including it here b/c anyone else reading the thread may benefit from it. I also just now verified each link, they're all active http://www.vistax64.com/network-sharing/173824-slow-internet-vistax32-after-while.html#post805059 is a post I made almost 3.5 years ago for online scanners, plus downloadable software (I think you said she already had AVG) as well as MBAM.

I'm a registered beta tester for MBAM, have been for over 5 years now, and I use the registered version (tester key) that I can do what I want with - I swear by MBAM, M$SE and WinPatrol. my days at CastleCops taught me well - don't overload and make sure that you set exceptions in each scanning program to avoid interfering with other scanning programs. For example, I have MBAM set with exceptions to M$SE, and M$SE set with exception to MBAM....


Have you tried performing a true IE restore defaults? Internet Options --> Advanced tab --> Reset button....

Also, check the security levels for IE on the Security tab, reset them all to default, and check for any suspicious sites in the trusted sites list.

You might try running SpywareBlaster | Prevent spyware and malware. Free download. to fix any latent problems with IE before actually performing the reset as well. Same with WinPatrol - although the popups may be a bit disconcerting at first for her, if she reads up on WinPatrol and sees Bill Pytlovany's pic, it may make her feel a lot better (probably better than Marcin's pic, the dev of MBAM - he's like 20 lol)

Have you performed a HiJack This! analysis?



Pfft - I run IE 64bit b/c I can, but prefer Mozilla Firefox Nightly 64bit builds b/c of the extreme customization I can perform with it compared to IE. Still, there are sites that require me to have IE, so....

I have firefox on Ubuntu but have chromium as my secondary. Its very rare that I have to use chromium so I just have that set up with a US proxy so I can download and use beta's that only US residents get.

Best thing about firefox?! "about:config", without a shadow of a doubt (for me)

 

[EarlyMon]

Have you tried performing a true IE restore defaults? Internet Options --> Advanced tab --> Reset button....

Also, check the security levels for IE on the Security tab, reset them all to default, and check for any suspicious sites in the trusted sites list.

Yep, done that.

You might try running SpywareBlaster | Prevent spyware and malware. Free download. to fix any latent problems with IE before actually performing the reset as well. Same with WinPatrol - although the popups may be a bit disconcerting at first for her, if she reads up on WinPatrol and sees Bill Pytlovany's pic, it may make her feel a lot better (probably better than Marcin's pic, the dev of MBAM - he's like 20 lol)

Have you performed a HiJack This! analysis?

Yeah, and I cleaned some (ok - a LOT) of stuff already. But this isn't a hijack. This is something launching IE at login and going to a bogus site.

I'd love to simply get into the Event viewer (as well as the registry) - anything a normal admin would do.

So, hopefully, log me in will get me there if the other stuff doesn't.

Very much appreciate the other tips, btw!

Best thing about firefox?! "about:config", without a shadow of a doubt (for me)

Also good for the stock Android browser where "about:debug" doesn't work!

PS - Can't believe I didn't think to clear out temp. I still think the IE launch at login is a spawned process, but I'm sure temp on that machine is a mess. I'm going to shamelessly steal your commands and .bat that on her side independently do a temp clean. (Srsly, tho, thanks for the bat.)

This is strictly a startup issue. She's not launching IE, some process is. Nothing is proxied. After exiting the erroneous window (with the address bar conveniently hidden), everything works fine.

And my favorite, a new one for me (probably because I practice safe web browsing and don't just click on things) - the whole alt-keypress access is gone when the addr widget and the rest of the toolbars are withdrawn.

If I could figure out where it's trying to go, then I could simply scan her entire disk for that address, I thought. I doubt it's encrypted. And it doesn't seem to appear in the IE history, probably because the access wasn't successful or some other good IE idea.

And if she could remember her router password, I'd have checked the router logs. Oh well.

 

[johnlgalt]

Speaking of cleaning out temp files - BleachBit FTW - BleachBit - Clean Disk Space, Maintain Privacy

And Windows' built in disk cleanup utility isn't too shabby for getting the temp folders cleaned of items not in use....

 

[johnlgalt]

Even better - it could be masking itself in the autoexec.bat . ,cmd (if present), win.ini (if present) and a few other places as well. Registry is first place I'd look for, but sometimes the old ways work best b/c many modern system cleaners and overhaulers forget to look in the old places anymore...

Startup folder in Programs is another good place too look.

But all of these can be checked by WinPatrol

 

[TxGoat]

I don't care what anyone says, the best way to get rid of all Windows issues is at the command prompt type in "Format C:".


What I've always thought would be a good idea for computers is a diagnostic port like cars (OBDII) where you can plug in a tablet or a laptop and run a complete diagnostic test/repair on a system that's acting weird. And by complete I mean HD tests, malware scans, hardware configuration. I'm sure something like that would take forever to implement and would probably thin out a lot of IT positions, but I've always thought it would be nice to have a comprehensive tool that any IT professional can just perform complete system scans via a cable.