Re: Searching from Address Bar

From: Gordon Smith (grsprod_at_hotmail.com)
Date: 06/09/04 

Date: Wed, 9 Jun 2004 11:44:58 -0700

Hi Jim,

Thanks for the advice, have followed the steps and am
waiting for a reply based on my HijackThis listing.

Just have to wait and see...

Will let you know what happens

Regards,

Gordon

>-----Original Message-----
>Hi Gordon - Nothing in the RestoreSearch2 .reg file would
affect any ot
>that. I suspect that you've other malware of some sort.
I'm going to post
>the "full course" message, but I would suggest after
you've read it that you
>go directly to the HiJackThis section and follow the
steps there.
>
>Sounds like this might be a variant of some malware
called CoolWebSearch (if
>not, then see AdAware, SpyBot, and HijackThis, below). Do
the following:
>
>Download, UPDATE before running, and run:
>http://209.133.47.200/~merijn/files/CWShredder.exe to
remove the parasite.
>Be sure to close all instances of IE and OE. You may
also get it here if
>that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
>
>BE SURE that you get v.158 or later!
>
>You will need to show Hidden files first and then at the
end disable System
>Restore and then reboot your system in order to clear the
malware garbage
>from the backups after you've cleaned up. It's best to
perform CWShredder
>(and most other malware fixers too) from Safe mode and
then reboot. After
>cleaning things up, then you can disable and then re-
enable System Restore.
>See ******** below.
>
>The following links give instructions on how to do these
various functions:
>
>
>HOW TO Restart in Safe Mode
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001052409420406>
>
>HOW TO Enable Hidden Files
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2002092715262339>
>
>HOW TO Disable/Flush System Restore (do this at the end
AFTER cleaning)
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001111912274039>
>(WinXP)
><http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001012513122239>
>(WinME)
>
>
>
>Then download and run:
>http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg
to restore your
>tabs and remove any restrictions that the parasite has
put in place.
>
>Be sure that you also download and install hotfix
Q816093, here:
>
>http://support.microsoft.com/?kbid=816093#appliesto
>
>which blocks the exploit upon which this parasite family
depends.
>
>Now download and run:
>http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to restore
>your search functions.
>
>
>However, this also indicates that you may have acquired
some other malware
>along the way. If you go to this page at Jim Eshelman's
site, here:
>http://aumha.org/a/noads.htm and wait a little bit (be
patient), an analysis
>of a number of possible parasites on your machine will be
made to help you
>identify and remove them. NOTE: You will need to disable
Ad Blocking in Zone
>Alarm 3.x, if present or any other Ad Blocking software
which interferes
>with Java Scripting for this scan to work. You should get
a message between
>the two lines of **** giving the results of the scan.
>
>Get Ad-Aware 6.0, Build 181 or later, here:
>http://www.lavasoftusa.com/support/download/. UPDATE and
run this regularly
>to get rid of most "spyware/hijackware" on your
machine. If it has to fix
>things, be sure to re-boot and rerun AdAware again and
repeat this cycle
>until you get a clean scan. The reason is that it may
have to remove
>things which are currently "in use" before it can then
clean up others.
>
>Another excellent program for this purpose is SpyBot
Search and Destroy
>available here: http://security.kolla.de/ SpyBot
Support Forum here:
>http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
>using both normally. After UPDATING and fixing things
with SpyBot S&D, be
>sure to re-boot and rerun SpyBot again and repeat this
cycle until you get a
>clean "no red" scan. The reason is that SpyBot sometimes
has to remove
>things which are currently "in use" before it can then
clean up others.
>
>Note that sometimes you need to make a judgement call
about what these
>programs report as spyware. See here, for example:
>http://www.imilly.com/alexa.htm
>
>
>
>If they don't fix it then start here:
>
>Download HijackThis, free, here:
>http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a new
>fresh copy of HijackThis [and CWShredder also] - It's
UPDATED frequently.)
>You may also get it here if that link is blocked:
>http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>
>In Windows Explorer, click on Tools|Folder Options|View
and check "Show
>hidden files and folders" and uncheck "Hide protected
operating system
>files". (You may want to restore these when you're all
finished with
>HijackThis.)
>
>Unzip the downloaded HijackThis to any convenient folder,
start it then
>press Scan. Click on SaveLog when it's finished which
will create
>hijackthis.log. Now click the Config button, then Misc
Tools and click on
>Generate StartupList.log which will create Startuplist.txt
>
>Then go to one of the following forums:
>
>Spyware and Hijackware Removal Support, here:
>http://216.180.233.162/~swicom/forums/
>
>or Net-Integration here:
>http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
>or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
>
>Sign in, then copy and paste both files into a message
asking for
>assistance, Someone will answer with detailed
instructions for the removal
>of your parasite(s).
>
>
>*******
>ONLY IF you've successfully eliminated the malware, you
can now make a new,
>clean Restore Point and delete any previously saved
(possibly infected)
>ones. The following suggested approach is courtesy of
Gary Woodruff: For XP
>you can run a Disk Cleanup cycle and then look in the
More Options tab. The
>System Restore option removes all but the latest Restore
Point. If there
>hasn't been one made since the system was cleaned you
should manually create
>one before dumping the old possibly infected ones.
>*******
>
>
>Once you get this cleaned up, you might want to consider
installing the
>SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from
>happening in the future:
>
>http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active
>X installs) (BTW, SpyWare Blaster is not memory
resident ... no CPU or
>memory load - but keep it UPDATED) The latest version as
of this writing
>will prevent installation or prevent the malware from
running if it is
>already installed, and it provides information and fixit-
links for a variety
>of parasites.
>
>http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to
>install malware) Keep it UPDATED. Both Very Highly
Recommended
>
>--
>Please respond in the same thread.
>Regards, Jim Byrd, MS-MVP
>
>
>
> In news:1960b01c44ce6$56ac0680$a501280a@phx.gbl,
>Gordon Smith <grsprod@hotmail.com> typed:
>> Hi Jim,
>>
>> Bad new I'm afraid. Got the search bar issue resolved.
>> Running Ad-aware and SpyBot...but now that I've changed
>> the REG this has altered other settings. Most noticably
>> the graphics setup. Icons now look grainy on screen and
>> for instance when I try and view Media Player 9 in full
>> screen it wont work. Error message says increase
hardware
>> accelerator to full. This is already set to full, I'm
>> running at max resolution as per prior, in fact all
>> graphics settings seem the same. But they obv arent as
>> the display qual has reduced.
>>
>> Any ideas?
>>
>> Sorry to keep pertering you!
>>
>> Kind regards,
>>
>> Gordon
>>> -----Original Message-----
>>> YW, Gordon - Let us know what happens, please.
>>>
>>> --
>>> Please respond in the same thread.
>>> Regards, Jim Byrd, MS-MVP
>>>
>>>
>>>
>>> In news:194eb01c44cc9$741b9a40$a501280a@phx.gbl,
>>> Gordon Smith <grsprod@hotmail.com> typed:
>>>> Hi Jim,
>>>>
>>>> Thanks for what looks like an extremely detailed
email!
>>>>
>>>> I shall def give everything ago, I did have Lavasoft
on
>>>> before and suspect that maybe the root of my
problems. I
>>>> also have a Spybot program. I try the other things
and
>>>> see where that gets me.
>>>>
>>>> Many thanks for your time and assistance.
>>>>
>>>> Kind regards,
>>>>
>>>> Gordon
>>>>
>>>>> -----Original Message-----
>>>>> Hi Gordon - Download and run:
>>>>> http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to
>restore
>>>>> your default Search functions. You'll have to
manually reselect any
>>>>> Customization, however.
>>>>>
>>>>> Note that this symptom often indicates the
possibility of other
>malware.
>>>>> You might want go to this page at Jim Eshelman's
site, here:
>>>>> http://aumha.org/a/noads.htm or here:
>>>>> http://inetexplorer.mvps.org/parasite.htm and wait a
little bit (be
>>>>> patient), while an analysis of a number of possible
parasites on your
>>>>> machine will be made to help you identify and remove
them. NOTE: You
>will
>>>>> need to disable Ad Blocking in Zone Alarm 3.x, if
present or any other
>Ad
>>>>> Blocking software which interferes with Java
Scripting for this scan to
>>>>> work. You should get a message between the two
lines of **** giving
>the
>>>>> results of the scan.
>>>>>
>>>>> For the general hijack case, the best way to start
is to get Ad-Aware
>6.0,
>>>>> Build 181 or later, here:
http://www.lavasoftusa.com/support/download/.
>>>>> UPDATE and run this regularly to get rid of
>>>> most "spyware/hijackware" on
>>>>> your machine. If it has to fix things, be sure to
re-
>> boot and rerun
>>>>> AdAware again and repeat this cycle until you get a
clean scan. The
>reason
>>>>> is that it may have to remove things which are
currently "in use"
>before it
>>>>> can then clean up others.
>>>>>
>>>>> Another excellent program for this purpose is SpyBot
Search and Destroy
>>>>> available here: http://security.kolla.de/ SpyBot
Support Forum here:
>>>>> http://www.net-integration.net/cgi-
>>>> bin/forums/ikonboard.cgi. I recommend
>>>>> using both normally. After UPDATING and fixing
things with SpyBot S&D,
>be
>>>>> sure to re-boot and rerun SpyBot again and repeat
this cycle until you
>get a
>>>>> clean "no red" scan. The reason is that SpyBot
sometimes has to remove
>>>>> things which are currently "in use" before it can
then clean up others.
>>>>>
>>>>>
>>>>> Note that sometimes you need to make a judgement
call about what these
>>>>> programs report as spyware. See here, for example:
>>>>> http://www.imilly.com/alexa.htm
>>>>>
>>>>>
>>>>> A currently common parasite which can cause this
symptom is some
>malware
>>>>> called CoolWebSearch. Do the following:
>>>>>
>>>>> Download, UPDATE before running, and run:
>>>>> http://209.133.47.200/~merijn/files/CWShredder.exe
to remove the
>parasite.
>>>>> Be sure to close all instances of IE and OE. You
may also get it here
>if
>>>>> that link is blocked:
>http://www.zerosrealm.com/downloads/CWShredder.zip
>>>>>
>>>>> BE SURE that you get v.158 or later!
>>>>>
>>>>> You will need to show Hidden files first and then at
the end disable
>System
>>>>> Restore and then reboot your system in order to
clear the malware
>garbage
>>>>> from the backups after you've cleaned up. It's best
to perform
>CWShredder
>>>>> (and most other malware fixers too) from Safe mode
and then reboot.
>After
>>>>> cleaning things up, then you can disable and then re-
 enable System
>Restore.
>>>>> See ******** below.
>>>>>
>>>>> The following links give instructions on how to do
these various
>functions:
>>>>>
>>>>>
>>>>> HOW TO Restart in Safe Mode
>>>>>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>2001052409420406>
>>>>>
>>>>> HOW TO Enable Hidden Files
>>>>>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>2002092715262339>
>>>>>
>>>>> HOW TO Disable/Flush System Restore (do this at the
end AFTER
>cleaning)
>>>>>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>2001111912274039>
>>>>> (WinXP)
>>>>>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
>2001012513122239>
>>>>> (WinME)
>>>>>
>>>>>
>>>>>
>>>>> Then download and run:
>>>>> http://www.kellys-korner-
xp.com/regs_edits/iegentabs.reg to restore
>your
>>>>> tabs and remove any restrictions that the parasite
has put in place.
>>>>>
>>>>> Be sure that you also download and install hotfix
Q816093, here:
>>>>>
>>>>> http://support.microsoft.com/?kbid=816093#appliesto
>>>>>
>>>>> which blocks the exploit upon which this parasite
family depends.
>>>>>
>>>>> Now download and run:
>>>>> http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to
>restore
>>>>> your search functions.
>>>>>
>>>>>
>>>>>
>>>>> If they don't fix it then start here:
>>>>>
>>>>> Download HijackThis, free, here:
>>>>> http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a
>new
>>>>> fresh copy of HijackThis [and CWShredder also] -
It's UPDATED
>frequently.)
>>>>> You may also get it here if that link is blocked:
>>>>> http://www.majorgeeks.com/downloadget.php?
>>>>> id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>>>>>
>>>>> In Windows Explorer, click on Tools|Folder
Options|View and check "Show
>>>>> hidden files and folders" and uncheck "Hide
protected operating
>system
>>>>> files". (You may want to restore these when you're
all finished with
>>>>> HijackThis.)
>>>>>
>>>>> Unzip the downloaded HijackThis to any convenient
folder, start it then
>>>>> press Scan. Click on SaveLog when it's finished
which will create
>>>>> hijackthis.log. Now click the Config button, then
Misc Tools and click
>on
>>>>> Generate StartupList.log which will create
Startuplist.txt
>>>>>
>>>>> Then go to one of the following forums:
>>>>>
>>>>> Spyware and Hijackware Removal Support, here:
>>>>> http://216.180.233.162/~swicom/forums/
>>>>>
>>>>> or Net-Integration here:
>>>>> http://www.net-integration.net/cgi-
>>>> bin/forum/ikonboard.cgi?
>>>> s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>>>>>
>>>>> or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
>>>>>
>>>>> Sign in, then copy and paste both files into a
message asking for
>>>>> assistance, Someone will answer with detailed
instructions for the
>removal
>>>>> of your parasite(s).
>>>>>
>>>>>
>>>>> *******
>>>>> ONLY IF you've successfully eliminated the malware,
you can now make a
>new,
>>>>> clean Restore Point and delete any previously saved
(possibly infected)
>>>>> ones. The following suggested approach is courtesy
of Gary Woodruff:
>For XP
>>>>> you can run a Disk Cleanup cycle and then look in
the More Options tab.
>The
>>>>> System Restore option removes all but the latest
Restore Point. If
>there
>>>>> hasn't been one made since the system was cleaned
you should manually
>create
>>>>> one before dumping the old possibly infected ones.
>>>>> *******
>>>>>
>>>>>
>>>>> Once you get this cleaned up, you might want to
consider installing the
>>>>> SpywareBlaster and SpywareGuard here to help prevent
this kind of thing
>from
>>>>> happening in the future:
>>>>>
>>>>> http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware
>Active
>>>>> X installs) (BTW, SpyWare Blaster is not memory
resident ... no CPU or
>>>>> memory load - but keep it UPDATED) The latest
version as of this
>writing
>>>>> will prevent installation or prevent 2942 malware
items from being
>installed
>>>>> or running if already installed, and it provides
information and
>fixit-links
>>>>> for a variety of parasites.
>>>>>
>>>>> http://www.javacoolsoftware.com/spywareguard.html
(Monitors for
>attempts to
>>>>> install malware) Keep it UPDATED. Both Very Highly
Recommended
>>>>>
>>>>>
>>>>> --
>>>>> Please respond in the same thread.
>>>>> Regards, Jim Byrd, MS-MVP
>>>>>
>>>>>
>>>>>
>>>>> In news:1940f01c44cb5$54a09c60$a501280a@phx.gbl,
>>>>> Gordon Smith <grsprod@hotmail.com> typed:
>>>>>> Dear All,
>>>>>>
>>>>>> I used to be able to type a word in my address bar,
and IE
>>>>>> would automatically search for web-sites and
display the
>>>>>> results in the main window. Recently it has
stopped doing
>>>>>> this and I have no idea why?
>>>>>>
>>>>>> Can you help?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Gordon
>>>>>
>>>>> .
>>>
>>> .
>
>.
>