Re: Searching from Address Bar

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 06/08/04 

Date: Mon, 7 Jun 2004 17:16:02 -0700

Hi Gordon - Nothing in the RestoreSearch2 .reg file would affect any ot
that. I suspect that you've other malware of some sort. I'm going to post
the "full course" message, but I would suggest after you've read it that you
go directly to the HiJackThis section and follow the steps there.

Sounds like this might be a variant of some malware called CoolWebSearch (if
not, then see AdAware, SpyBot, and HijackThis, below). Do the following:

Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

BE SURE that you get v.158 or later!

You will need to show Hidden files first and then at the end disable System
Restore and then reboot your system in order to clear the malware garbage
from the backups after you've cleaned up. It's best to perform CWShredder
(and most other malware fixers too) from Safe mode and then reboot. After
cleaning things up, then you can disable and then re-enable System Restore.
See ******** below.

The following links give instructions on how to do these various functions:

HOW TO Restart in Safe Mode
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406>

HOW TO Enable Hidden Files
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339>

HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning)
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039>
(WinXP)
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239>
(WinME)

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.

However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

If they don't fix it then start here:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Unzip the downloaded HijackThis to any convenient folder, start it then
press Scan. Click on SaveLog when it's finished which will create
hijackthis.log. Now click the Config button, then Misc Tools and click on
Generate StartupList.log which will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).

*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******

Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended 

-- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
 In news:1960b01c44ce6$56ac0680$a501280a@phx.gbl,
Gordon Smith <grsprod@hotmail.com> typed:
> Hi Jim,
>
> Bad new I'm afraid.  Got the search bar issue resolved.
> Running Ad-aware and SpyBot...but now that I've changed
> the REG this has altered other settings.  Most noticably
> the graphics setup.  Icons now look grainy on screen and
> for instance when I try and view Media Player 9 in full
> screen it wont work.  Error message says increase hardware
> accelerator to full.  This is already set to full, I'm
> running at max resolution as per prior, in fact all
> graphics settings seem the same.  But they obv arent as
> the display qual has reduced.
>
> Any ideas?
>
> Sorry to keep pertering you!
>
> Kind regards,
>
> Gordon
>> -----Original Message-----
>> YW, Gordon - Let us know what happens, please.
>>
>> --
>> Please respond in the same thread.
>> Regards, Jim Byrd, MS-MVP
>>
>>
>>
>> In news:194eb01c44cc9$741b9a40$a501280a@phx.gbl,
>> Gordon Smith <grsprod@hotmail.com> typed:
>>> Hi Jim,
>>>
>>> Thanks for what looks like an extremely detailed email!
>>>
>>> I shall def give everything ago, I did have Lavasoft on
>>> before and suspect that maybe the root of my problems. I
>>> also have a Spybot program.  I try the other things and
>>> see where that gets me.
>>>
>>> Many thanks for your time and assistance.
>>>
>>> Kind regards,
>>>
>>> Gordon
>>>
>>>> -----Original Message-----
>>>> Hi Gordon - Download and run:
>>>> http://www.kellys-korner- xp.com/regs_edits/RestoreSearch2.REG to
restore
>>>> your default Search functions.  You'll have to manually reselect any
>>>> Customization, however.
>>>>
>>>> Note that this symptom often indicates the possibility of other
malware.
>>>> You might want go to this page at Jim Eshelman's site, here:
>>>> http://aumha.org/a/noads.htm or here:
>>>> http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
>>>> patient), while an analysis of a number of possible parasites on your
>>>> machine will be made to help you identify and remove them.  NOTE:  You
will
>>>> need to disable Ad Blocking in Zone Alarm 3.x, if present or any other
Ad
>>>> Blocking software which interferes with Java Scripting for this scan to
>>>> work.  You should get a message between the two lines of **** giving
the
>>>> results of the scan.
>>>>
>>>> For the general hijack case, the best way to start is to get Ad-Aware
6.0,
>>>> Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
>>>> UPDATE and run this regularly to get rid of
>>> most "spyware/hijackware" on
>>>> your machine.   If it has to fix things, be sure to re-
>  boot and rerun
>>>> AdAware again and repeat this cycle until you get a clean  scan.  The
reason
>>>> is that it may have to remove things which are currently "in use"
before it
>>>> can then clean up others.
>>>>
>>>> Another excellent program for this purpose is SpyBot Search and Destroy
>>>> available here:  http://security.kolla.de/  SpyBot Support Forum here:
>>>> http://www.net-integration.net/cgi-
>>> bin/forums/ikonboard.cgi.   I recommend
>>>> using both normally.  After UPDATING and fixing things with SpyBot S&D,
be
>>>> sure to re-boot and rerun SpyBot again and repeat this cycle until you
get a
>>>> clean "no red" scan.  The reason is that SpyBot sometimes has to remove
>>>> things which are currently "in use" before it can then clean up others.
>>>>
>>>>
>>>> Note that sometimes you need to make a judgement call about what these
>>>> programs report as spyware.  See here, for example:
>>>> http://www.imilly.com/alexa.htm
>>>>
>>>>
>>>> A currently common parasite which can cause this symptom is some
malware
>>>> called CoolWebSearch. Do the following:
>>>>
>>>> Download, UPDATE before running, and run:
>>>> http://209.133.47.200/~merijn/files/CWShredder.exe to remove the
parasite.
>>>> Be sure to close all instances of IE and OE.   You may also get it here
if
>>>> that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
>>>>
>>>> BE SURE that you get v.158 or later!
>>>>
>>>> You will need to show Hidden files first and then at the end disable
System
>>>> Restore and then reboot your system in order to clear the malware
garbage
>>>> from the backups after you've cleaned up.  It's best to perform
CWShredder
>>>> (and most other malware fixers too) from Safe mode and then reboot.
After
>>>> cleaning things up, then you can disable and then re- enable System
Restore.
>>>> See ******** below.
>>>>
>>>> The following links give instructions on how to do these various
functions:
>>>>
>>>>
>>>> HOW TO Restart in Safe Mode
>>>>  <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001052409420406>
>>>>
>>>> HOW TO Enable Hidden Files
>>>>  <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2002092715262339>
>>>>
>>>> HOW TO Disable/Flush System Restore  (do this at the end AFTER
cleaning)
>>>>  <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001111912274039>
>>>> (WinXP)
>>>>  <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001012513122239>
>>>> (WinME)
>>>>
>>>>
>>>>
>>>> Then download and run:
>>>> http://www.kellys-korner- xp.com/regs_edits/iegentabs.reg to restore
your
>>>> tabs and remove any restrictions that the parasite has put in place.
>>>>
>>>> Be sure that you also download and install hotfix Q816093, here:
>>>>
>>>> http://support.microsoft.com/?kbid=816093#appliesto
>>>>
>>>> which blocks the exploit upon which this parasite family depends.
>>>>
>>>> Now download and run:
>>>> http://www.kellys-korner- xp.com/regs_edits/RestoreSearch2.REG to
restore
>>>> your search functions.
>>>>
>>>>
>>>>
>>>> If they don't fix it then start here:
>>>>
>>>> Download HijackThis, free, here:
>>>> http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a
new
>>>> fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)
>>>> You may also get it here if that link is blocked:
>>>> http://www.majorgeeks.com/downloadget.php?
>>>> id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>>>>
>>>> In Windows Explorer, click on Tools|Folder Options|View and check "Show
>>>> hidden files and folders"  and uncheck  "Hide protected operating
system
>>>> files".  (You may want to restore these when you're all finished with
>>>> HijackThis.)
>>>>
>>>> Unzip the downloaded HijackThis to any convenient folder, start it then
>>>> press Scan. Click on SaveLog when it's finished which will create
>>>> hijackthis.log. Now click the Config button, then Misc Tools and click
on
>>>> Generate StartupList.log which will create Startuplist.txt
>>>>
>>>> Then go to one of the following forums:
>>>>
>>>> Spyware and Hijackware Removal Support, here:
>>>> http://216.180.233.162/~swicom/forums/
>>>>
>>>> or Net-Integration here:
>>>> http://www.net-integration.net/cgi-
>>> bin/forum/ikonboard.cgi?
>>> s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>>>>
>>>> or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
>>>>
>>>> Sign in, then copy and paste both files into a message asking for
>>>> assistance, Someone will answer with detailed instructions for the
removal
>>>> of your parasite(s).
>>>>
>>>>
>>>> *******
>>>> ONLY IF you've successfully eliminated the malware, you can now make a
new,
>>>> clean Restore Point and delete any previously saved (possibly infected)
>>>> ones. The following suggested approach is courtesy of Gary Woodruff:
For XP
>>>> you can run a Disk Cleanup cycle and then look in the More Options tab.
The
>>>> System Restore option removes all but the latest Restore Point. If
there
>>>> hasn't been one made since the system was cleaned you should manually
create
>>>> one before dumping the old possibly infected ones.
>>>> *******
>>>>
>>>>
>>>> Once you get this cleaned up, you might want to consider installing the
>>>> SpywareBlaster and SpywareGuard here to help prevent this kind of thing
from
>>>> happening in the future:
>>>>
>>>> http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware
Active
>>>> X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
>>>> memory load - but keep it UPDATED) The latest version as of this
writing
>>>> will prevent installation or prevent 2942 malware items from being
installed
>>>> or running if already installed, and it provides information and
fixit-links
>>>> for a variety of parasites.
>>>>
>>>> http://www.javacoolsoftware.com/spywareguard.html (Monitors for
attempts to
>>>> install malware) Keep it UPDATED.  Both Very Highly Recommended
>>>>
>>>>
>>>> --
>>>> Please respond in the same thread.
>>>> Regards, Jim Byrd, MS-MVP
>>>>
>>>>
>>>>
>>>> In news:1940f01c44cb5$54a09c60$a501280a@phx.gbl,
>>>> Gordon Smith <grsprod@hotmail.com> typed:
>>>>> Dear All,
>>>>>
>>>>> I used to be able to type a word in my address bar, and IE
>>>>> would automatically search for web-sites and display the
>>>>> results in the main window.  Recently it has stopped doing
>>>>> this and I have no idea why?
>>>>>
>>>>> Can you help?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Gordon
>>>>
>>>> .
>>
>> .