Re: Anyone know how to get rid of latest cool Web hijack?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: JethroUK© (reply_at_the.board)
Date: 07/03/04 

Date: Sat, 03 Jul 2004 22:39:35 GMT

"Jan Il" <abuse@localhost.com> wrote in message
news:uU6sgtTYEHA.1224@TK2MSFTNGP09.phx.gbl...
> Hi JethroUK© :-)
> > thanx - i been struggling with it for a week now - ended up
> > reinstalling ie & it seems to be gone now - i will try the plug-in if
> > it comes back.
>
> If it is a virus, it will be back. If it wasn't, then that may cure it.
> ;-))
>
> Thank you for letting us know what helped resolve your problem, and for
the
> benefit of other readers.
>
> Jan :)

just to elaborate (if anyone else is suffering) - my browser got hijacked by
the new cool web about a week ago - i ran Adaware (usually does the trick),
it found all the usual suspects and deleted them - my browser ran fine all
day, only for it to return next day - over the week i scoured the web for
info about this new hijacker, kept running adaware everyday, but it always
returned, read some lengthy posts which never found a cure - downloaded and
ran CWShredder which had no effect at all - i did notice that the 'hosts'
file was write protected & it stopped working (as if it was being
by-passed), also noticed some suspicious pointing towards 'iexplorer.exe',
which made me wonder whether it had actually corrupted Internet explorer
itself

shut down my internet connection
ran adaware
reinstalled internet explorer
rebooted
2 days in and all still peachy with one exception - 'hosts' file still
doesn't work

let you know if it comes back - otherwise consider it cured

> >
> >
> > "Jan Il" <abuse@localhost.com> wrote in message
> > news:#t$HqeGYEHA.212@TK2MSFTNGP12.phx.gbl...
> >> Hey JethroUK© ! :-)
> >>
> >>> tried CWShredder & Adaware - it disappears for that day, only to
> >>> reappear next day
> >>
> >> Try the following information. This just became available late
> >> yesterday. Don't let the name AdAware fool you, it is not the same,
> >> in that there is now this plug-in for AdAware to kill the latest
> >> variant. There are a few others right below it that are also
> >> relatively new, and you can try them as well. If these don't work
> >> for you post back and I'll dig into my 'Merijn's' bag of tricks and
> >> see what I can find. ;-))
> >>
> >> VX2 Variant Plug-In Cleaner - From Ad-Aware:
> >> This VX2 variant registers itself in a way, which gives it system
> >> privileges. It also prevents the user from viewing this information
> >> by removing the user's rights to do so. Furthermore it constantly
> >> monitors the registry and prevents any attempts to remove its
> >> associated values. This makes it very difficult for the user to
> >> manually remove it
> >>
> >> Close Ad-Aware 6 build 181 and Ad-Watch (if running)
> >> - Download the free VX2 Cleaner at
> >> http://www.lavasoft.de/software/plugins/vx2cleaner.shtml
> >> - Install the VX2 Cleaner
> >> - Start Ad-Aware 6 build 181
> >> - Go to "Plug-ins"
> >> - Select the VX2 Cleaner plug-in and click "Run Plugin"
> >> - If your computer isn't infected, click "Close".
> >>
> >> also..................
> >>
> >> New CWS variant that hijacks you to res://<random>.dll/sp.html#96676.
> >>
> >> Here are some other links which may shed some extra light:
> >> http://forums.spywareinfo.com/index.php?showtopic=8847
> >> http://forums.spywareinfo.com/index.php?showtopic=7447
> >> http://forums.spywareinfo.com/index.php?showtopic=7261
> >> http://forums.spywareinfo.com/index.php?showtopic=7281
> >>
> >> How you know you have it : When you start up Internet Explorer it
> >> takes a few seconds to load and in the address bar it starts with
> >> res://<Random .dll>
> >>
> >> Per Merijn - http://www.spywareinfo.com/~merijn/index.html
> >>
> >> A solution is being worked on, see this thread on the SWI forums.
> >> http://forums.spywareinfo.com/index.php?showtopic=7447
> >>
> >> If it's not working for you, or it's too complicated, I heard from
> >> several people that this workaround works as well:
> >> Open the DLL you get hijacked to in Notepad
> >> Select all content (Ctrl-A) and delete it
> >> Save the file and exit Notepad
> >> Find the file in Explorer, right-click it, select Properties, put a
> >> checkmark in 'Read-Only' and click OK.
> >> If you can't find the DLL file, make sure your settings allow you to
> >> view "Hidden files". Open up any explorer windows and click on
> >> "Tools", "Folder Options", "View" and be sure to check off "Show
> >> Hidden Files and Folders
> >>
> >> also....................................
> >>
> >> Newest Website Malware
> >>
> >> What You Should Know About Download.Ject
> >> http://www.microsoft.com/security/incident/download_ject.mspx
> >>
> >> and..................
> >>
> >> About:Buster - There is also a removal tool and get it here.
> >> http://tools.zerosrealm.com/AboutBuster.zip
> >>
> >>
> >> Hope this helps.
> >>
> >> Jan :)
> >>
> >> Smiles are meant to be shared,
> >> that's why they're so contagious.
> >>
> >> Please reply to the newsgroup so others may benefit.
>
>

Quantcast