Re: Anyone know how to get rid of latest cool Web hijack?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: JethroUK© (reply_at_the.board)
Date: 07/09/04 

Date: Fri, 09 Jul 2004 17:33:46 GMT

cured by About Buster (nothing else):

http://tools.zerosrealm.com/AboutBuster.zip

Brilliant!

"Jan Il" <abuse@localhost.com> wrote in message
news:#LZDwhEZEHA.1264@TK2MSFTNGP11.phx.gbl...
> Hi JethroUK© :-)
>
> > update: - it's back :o( tried the plug-in but it makes no difference
> > at
> > all - adaware cant cure it - starting to look elsewhere - let you
> > know if i find a cure, but it's looking like total windows reinstall
> > (which i could've done 10 times by now :o)
>
> You've got that dang nasty one....<sigh>
>
> Try this following and see if this helps. We're still searching and I'm
> hoping to locate the one that is now being used, but, they moved it. Use
> unhidden files.
>
> RUN EVERY THING IN SAFE MODE AND REBOOT INBETWEEN RUNS. YOU MAY HAVE TO
RUN
> THEM SEVERAL TIMES.
>
> CoolWWWSearch.SmartKiller (v1 and v2) variant of CoolWWWSearch. When
> running, it will close every browser window you use to visit a large list
of
> anti-spyware-sites, and even will close Spybot-S&D and some other
> anti-spyware applications as well.
>
> CWS.SmartKiller removal utility
> http://www.safer-networking.org/files/delcwssk.zip
>
> or..................
>
> CWShredder Related Quote
>
> Courtesy of Jim Byrd:
> Sounds like this might be a variant of some malware called CoolWebSearch
(if
> CWShredder doesn't fix it, then see AdAware, SpyBot, and HijackThis,
below,
> in that order). Do the following:
>
> Before you try to remove spyware using any of the programs below, download
a
> copy of LSPFIX from any of the following sites:
>
> http://www.cexx.org/lspfix.htm
> http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k
or
> XP)
>
> The process of removing certain malware may kill your internet connection.
> If this should occur, this program, LSPFIX, will enable you to regain your
> connection. The process of removing certain malware may kill your
internet
> connection. If this should occur, this program, LSPFIX, will enable you
to
> regain your connection.
>
> Download, UPDATE before running, and run:
> http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
> Be sure to close all instances of IE and OE. You may also get it here if
> that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip
>
> BE SURE that you get v.158 or later!
>
> You will need to show Hidden files first and then at the end clear the
> malware garbage from your System Restore backups after you've cleaned up.
> It's best to perform CWShredder (and most other malware fixers too) from
> Safe mode and then reboot. AFTER cleaning things up, then you can disable
> and then re-enable System Restore. See ******** below.
>
> The following links give instructions on how to do these various
functions:
>
> HOW TO Restart in Safe Mode
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406>
>
> HOW TO Enable Hidden Files
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339>
>
> HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
> use the suggested procedure for XP at the ******'s)
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039>
> (WinXP)
>
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239>
> (WinME)
>
> Then download and run:
> http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
> tabs and remove any restrictions that the parasite has put in place.
>
> Now download and run:
> http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
> your search functions if they've been affected (as they probably will have
> been).
>
> Be sure that you also download and install hotfix Q816093, here:
> http://support.microsoft.com/?kbid=816093
> which blocks the exploit upon which this parasite family depends.
>
> However, this also indicates that you may have acquired some other malware
> along the way. If you go to this page at Jim Eshelman's site, here:
> http://aumha.org/a/noads.htm and wait a little bit (be patient), an
analysis
> of a number of possible parasites on your machine will be made to help you
> identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone
> Alarm 3.x, if present or any other Ad Blocking software which interferes
> with Java Scripting for this scan to work. You should get a message
between
> the two lines of **** giving the results of the scan.
>
> Get Ad-Aware 6.0, Build 181 or later, here:
> http://www.lavasoftusa.com/support/download/. UPDATE and run this
regularly
> to get rid of most "spyware/hijackware" on your machine. If it has to
fix
> things, be sure to re-boot and rerun AdAware again and repeat this cycle
> until you get a clean scan. The reason is that it may have to remove
> things which are currently "in use" before it can then clean up others.
>
> Another excellent program for this purpose is SpyBot Search and Destroy
> available here: http://security.kolla.de/ SpyBot Support Forum here:
> http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
> using both normally. After UPDATING and fixing things with SpyBot S&D, be
> sure to re-boot and rerun SpyBot again and repeat this cycle until you get
a
> clean "no red" scan. The reason is that SpyBot sometimes has to remove
> things which are currently "in use" before it can then clean up others.
>
> Note that sometimes you need to make a judgement call about what these
> programs report as spyware. See here, for example:
> http://www.imilly.com/alexa.htm
>
> Both of these programs should normally be UPDATED and run after doing any
> other fix such as CWShredder and, as a minimum, normally at least once a
> week.
>
> If they don't fix it then start here:
>
> Download HijackThis, free, here:
> http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
> fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
> You may also get it here if that link is blocked:
>
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b5529
82a8baee6434cfc13
>
> In Windows Explorer, click on Tools|Folder Options|View and check "Show
> hidden files and folders" and uncheck "Hide protected operating system
> files". (You may want to restore these when you're all finished with
> HijackThis.)
>
> Unzip the downloaded HijackThis to any convenient folder, start it then
> press Scan. Click on SaveLog when it's finished which will create
> hijackthis.log. Now click the Config button, then Misc Tools and click on
> Generate StartupList.log which will create Startuplist.txt
>
> Then go to one of the following forums:
>
> Jim Eshelman's site here:
> HiJackThis section:
> http://forum.aumha.org/
>
> Spyware and Hijackware Removal Support, here:
> http://216.180.233.162/~swicom/forums/
>
> or Net-Integration here:
>
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57
b5f65b6e40c55365e;act=ST;f=27;t=6949
>
> or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
>
> Sign in, then copy and paste both files into a message asking for
> assistance, Someone will answer with detailed instructions for the removal
> of your parasite(s).
> *******
> ONLY IF you've successfully eliminated the malware, you can now make a
new,
> clean Restore Point and delete any previously saved (possibly infected)
> ones. The following suggested approach is courtesy of Gary Woodruff: For
XP
> you can run a Disk Cleanup cycle and then look in the More Options tab.
The
> System Restore option removes all but the latest Restore Point. If there
> hasn't been one made since the system was cleaned you should manually
create
> one before dumping the old possibly infected ones.
> *******
> Once you get this cleaned up, you might want to consider installing the
> SpywareBlaster and SpywareGuard here to help prevent this kind of thing
from
> happening in the future:
>
> http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware
Active
> X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
> memory load - but keep it UPDATED) The latest version as of this writing
> will prevent installation or prevent the malware from running if it is
> already installed, and it provides information and fixit-links for a
variety
> of parasites.
>
> http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts
to
> install malware) Keep it UPDATED. Both Very Highly Recommended
>
> Finally, go to Windows Update and ensure that ALL Critical updates are
> installed.
>
> Hope this helps.
>
> Jan :)
>
> Smiles are meant to be shared,
> that's why they're so contagious.
>
> Please reply to the newsgroup so others may benefit.
> Replies are posted only to the newsgroup for the benefit or other readers.
>
> How to make a good newsgroup post:
> http://www.dts-l.org/goodpost.htm
> http://home.satx.rr.com/badour/html/post.html
>
>
>
>
> >
> >
> >
> > "Jan Il" <abuse@localhost.com> wrote in message
> > news:OtQYVIWYEHA.3536@TK2MSFTNGP11.phx.gbl...
> >> Hi JethroUK© :-)
> >>> "Jan Il" <abuse@localhost.com> wrote in message
> >>> news:uU6sgtTYEHA.1224@TK2MSFTNGP09.phx.gbl...
> >>>> Hi JethroUK© :-)
> >>>>> thanx - i been struggling with it for a week now - ended up
> >>>>> reinstalling ie & it seems to be gone now - i will try the plug-in
> >>>>> if it comes back.
> >>>>
> >>>> If it is a virus, it will be back. If it wasn't, then that may
> >>>> cure it. ;-))
> >>>>
> >>>> Thank you for letting us know what helped resolve your problem, and
> >>>> for the benefit of other readers.
> >>>>
> >>>> Jan :)
> >>>
> >>> just to elaborate (if anyone else is suffering) - my browser got
> >>> hijacked by the new cool web about a week ago - i ran Adaware
> >>> (usually does the trick), it found all the usual suspects and
> >>> deleted them - my browser ran fine all day, only for it to return
> >>> next day - over the week i scoured the web for info about this new
> >>> hijacker, kept running adaware everyday, but it always returned,
> >>> read some lengthy posts which never found a cure - downloaded and
> >>> ran CWShredder which had no effect at all - i did notice that the
> >>> 'hosts' file was write protected & it stopped working (as if it was
> >>> being by-passed), also noticed some suspicious pointing towards
> >>> 'iexplorer.exe', which made me wonder whether it had actually
> >>> corrupted Internet explorer itself
> >>>
> >>> shut down my internet connection
> >>> ran adaware
> >>> reinstalled internet explorer
> >>> rebooted
> >>> 2 days in and all still peachy with one exception - 'hosts' file
> >>> still doesn't work
> >>>
> >>> let you know if it comes back - otherwise consider it cured
> >>
> >> Thank you for the follow up on the method of removal. I might add
> >> that the plug-in for AdAware became available day before yesterday.
> >> And yes, that viurs is a real bugger to get rid of. You might keep
> >> the information on that add-in handy in case someone you know
> >> happens to get it. As you now know, the regular AdAware without it
> >> won't do the trick. It has to have to add-in to cure it.
> >>
> >> Good luck, and I am hoping it is gone for good! :-))
> >>
> >> Jan :)
> >>>
> >>>>>
> >>>>>
> >>>>> "Jan Il" <abuse@localhost.com> wrote in message
> >>>>> news:#t$HqeGYEHA.212@TK2MSFTNGP12.phx.gbl...
> >>>>>> Hey JethroUK© ! :-)
> >>>>>>
> >>>>>>> tried CWShredder & Adaware - it disappears for that day, only to
> >>>>>>> reappear next day
> >>>>>>
> >>>>>> Try the following information. This just became available late
> >>>>>> yesterday. Don't let the name AdAware fool you, it is not the
> >>>>>> same, in that there is now this plug-in for AdAware to kill the
> >>>>>> latest variant. There are a few others right below it that are
> >>>>>> also relatively new, and you can try them as well. If these
> >>>>>> don't work for you post back and I'll dig into my 'Merijn's' bag
> >>>>>> of tricks and see what I can find. ;-))
> >>>>>>
> >>>>>> VX2 Variant Plug-In Cleaner - From Ad-Aware:
> >>>>>> This VX2 variant registers itself in a way, which gives it system
> >>>>>> privileges. It also prevents the user from viewing this
> >>>>>> information by removing the user's rights to do so. Furthermore
> >>>>>> it constantly monitors the registry and prevents any attempts to
> >>>>>> remove its associated values. This makes it very difficult for
> >>>>>> the user to manually remove it
> >>>>>>
> >>>>>> Close Ad-Aware 6 build 181 and Ad-Watch (if running)
> >>>>>> - Download the free VX2 Cleaner at
> >>>>>> http://www.lavasoft.de/software/plugins/vx2cleaner.shtml
> >>>>>> - Install the VX2 Cleaner
> >>>>>> - Start Ad-Aware 6 build 181
> >>>>>> - Go to "Plug-ins"
> >>>>>> - Select the VX2 Cleaner plug-in and click "Run Plugin"
> >>>>>> - If your computer isn't infected, click "Close".
> >>>>>>
> >>>>>> also..................
> >>>>>>
> >>>>>> New CWS variant that hijacks you to
> >>>>>> res://<random>.dll/sp.html#96676.
> >>>>>>
> >>>>>> Here are some other links which may shed some extra light:
> >>>>>> http://forums.spywareinfo.com/index.php?showtopic=8847
> >>>>>> http://forums.spywareinfo.com/index.php?showtopic=7447
> >>>>>> http://forums.spywareinfo.com/index.php?showtopic=7261
> >>>>>> http://forums.spywareinfo.com/index.php?showtopic=7281
> >>>>>>
> >>>>>> How you know you have it : When you start up Internet Explorer it
> >>>>>> takes a few seconds to load and in the address bar it starts with
> >>>>>> res://<Random .dll>
> >>>>>>
> >>>>>> Per Merijn - http://www.spywareinfo.com/~merijn/index.html
> >>>>>>
> >>>>>> A solution is being worked on, see this thread on the SWI forums.
> >>>>>> http://forums.spywareinfo.com/index.php?showtopic=7447
> >>>>>>
> >>>>>> If it's not working for you, or it's too complicated, I heard
> >>>>>> from several people that this workaround works as well:
> >>>>>> Open the DLL you get hijacked to in Notepad
> >>>>>> Select all content (Ctrl-A) and delete it
> >>>>>> Save the file and exit Notepad
> >>>>>> Find the file in Explorer, right-click it, select Properties,
> >>>>>> put a checkmark in 'Read-Only' and click OK.
> >>>>>> If you can't find the DLL file, make sure your settings allow you
> >>>>>> to view "Hidden files". Open up any explorer windows and click on
> >>>>>> "Tools", "Folder Options", "View" and be sure to check off "Show
> >>>>>> Hidden Files and Folders
> >>>>>>
> >>>>>> also....................................
> >>>>>>
> >>>>>> Newest Website Malware
> >>>>>>
> >>>>>> What You Should Know About Download.Ject
> >>>>>> http://www.microsoft.com/security/incident/download_ject.mspx
> >>>>>>
> >>>>>> and..................
> >>>>>>
> >>>>>> About:Buster - There is also a removal tool and get it here.
> >>>>>> http://tools.zerosrealm.com/AboutBuster.zip
> >>>>>>
> >>>>>>
> >>>>>> Hope this helps.
> >>>>>>
> >>>>>> Jan :)
> >>>>>>
> >>>>>> Smiles are meant to be shared,
> >>>>>> that's why they're so contagious.
> >>>>>>
> >>>>>> Please reply to the newsgroup so others may benefit.
>
>

Quantcast