Re: Homepage keeps resetting itself

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: stuart (stuart_at_discussions.microsoft.com)
Date: 09/06/04 

Date: Mon, 6 Sep 2004 14:49:04 -0700

Many thanks for the detailed responses. But I must say that I'm completely
confused by it all.

Is there some sort of idiots method, i.e. download an *.exe, run it, reboot
and then everything is all fixed.

"Roger" wrote:

> Jim Byrd wrote:
>
> >Hi Stuart - We've been seeing this a lot lately, and these are very
> >difficult CWS parasite variants to remove. Read ALL of this carefully to
> >begin with, then try About:Blank Specific and then Basic Cleaning, below
> >FIRST and then ONLY IF NECESSARY Approach 1 and/or Approach 2 and/or
> >Approach 3 and/or Approach 4 and/or Approach 5 and/or Approach 6.
> >
> >********Please post back with your results in detail if possible - what you
> >tried, what happened, how you ended up - so that we'll know better what to
> >advise others.********
> >
> >#########IMPORTANT#########
> >Before you try to remove spyware using any of the programs below, download
> >both a copy of LSPFIX here:
> >
> >http://www.cexx.org/lspfix.htm
> >
> >AND a copy of Winsockfix
> >http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
> >Directions here: http://www.tacktech.com/display.cfm?ttid=257
> >The process of removing certain malware may kill your internet connection.
> >If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
> >to regain your connection.
> >#########IMPORTANT#########
> >
> >
> >Approach 1 - You can try AT YOUR OWN RISK, HSRemove, free, here:
> >http://www.hsremove.com/. "A few days ago I got hijacked - Nothing new in
> >that, except this time it was a real [censored] to get rid of. - There were
> >simply no tools available to remove this "Home Search" thing. Finally I
> >ended up creating my own tool for it. USE IT AT YOUR OWN RISK. And if you
> >find it helpful, then please do not hesitate to make a contribution."
> >
> >
> >Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't advise
> >using a malware provider's uninstall, but this particular approach has been
> >reported to work ONLY IF you have the about:blank CWS variant (there appear
> >to be at least three or four currently) which leads you to a Search page.
> >Paste the following IP into your browser:
> >
> >195.190.118.131
> >
> >On the screen you arrive at, you see a "Search For" window, and below it a
> >red "Uninstall Software". Download their uninstaller, uninstall.exe. At this
> >point I would either use TotalUninstall or make a complete backup/Restore
> >Point of my system for safety's sake (on the basis of "at least keep what
> >you've got"). Total Uninstall, http://www.geocities.com/ggmartau/tu.html or
> >direct dwnld here: http://files.webattack.com/localdl834/tun234.zip
> >
> >Run this uninstall program that you downloaded from the malware site, then
> >UPDATE them and go to Safe mode to run UPDATED versions CWShredder, AdAware
> >and SpyBot per the directions in Basic, below.
> >
> >
> >
> >Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk
> >
> >"I had a variant of this CWS.SearchX sucker for about 3 weeks, and I FINALLY
> >seem to be rid of it for good! It is aka Troj_StartPage.sp and
> >BackDoor.Agent.BA. This is what I did:
> >
> >
> >1. Run Regedit, and DELETE the following key:
> >
> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> >NT\CurrentVersion\Windows\AppInit_DLLs
> >
> >The value of this key may look blank for you, but it is not. They hide the
> >value so you can't see it. This registry key tells Windows to load the
> >Trojan DLL every time ANY application is run giving it complete control to
> >do whatever it wants. So you need to remove it so that the Trojan DLL cannot
> >load and keep re-infecting your PC. The way to remove the registry key is
> >not obvious. If you just delete it from RegEdit, since the Trojan DLL is
> >loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs
> >registry key and hit F5. Notice that it's added right back by the Trojan).
> >
> >So what you have to do is the following which worked for me (many thanks to
> >"acomputerpro" at the SpywareInfo.com forums!)
> >
> >2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
> >folder to Windows2.
> >
> >3. Now delete the AppInit_DLLs key under the Windows2 folder.
> >
> >4. Hit F5 and notice that AppInit_DLLs doesn't come back.
> >
> >5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is
> >gone, run the latest AdAware 6 to remove the Trojan for good.
> >
> >6. Reboot your machine, and check the registry and make sure AppInit_DLLs is
> >still gone.
> >
> >Your computer should be free of this for good now. Hope it works for you...
> >It seemed to do the trick for me!"
> >
> >
> >Approach 4 - If you've already tried CWShredder to get rid of this parasite
> >(See below, v.159.0.1 or better and fully updated before use), then take a
> >look at this thread about manual removal of this parasite:
> >
> >http://www.akadia.com/services/about_blank_virus.html
> >and this one: http://www.daniweb.com/techtalkforums/thread5531.html
> >and this one: http://computercops.biz/article-5199-nested-0-0.html
> >and this one: http://forum.aumha.org/viewtopic.php?t=6437
> >
> >
> >Approach 5 - I don't usually recommend anything but freeware that I've
> >confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, here:
> >http://www.adwareaway.com/ claims to fix it automatically, and several users
> >now have reported success using it. I would backup my system before using
> >it, however - always try to "keep what you've got".
> >
> >
> >Approach 6 - It has been reported that the evaluation version of Panda
> >Software's Titanium Antivirus 2004, here:
> >http://www.pandasoftware.com/register.asp?CodigoProducto=13&TipoLead=2&TipoUsuario=1&Tipo=1&Ref=WW-TIT4-DES&Idioma=2&Country=Us&sec=down
> >will completely remove about:blank. I have not been able to independently
> >verify this yet, however, so this is AT YOUR OWN RISK. You'll have to give
> >them some information, and I expect you may want to uncheck some of the
> >"opt-in" boxes at the bottom just above and below the send button.
> >
> >___________________________________
> >
> >
> >About:Blank Specific
> >
> >See the procedures here: http://www.pchell.com/support/onlythebest.shtml
> >and especially here:
> >http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp
> >
> >Download AboutBuster, here: http://www.malwarebytes.biz/AboutBuster.zip or
> >here: http://www.majorgeeks.com/download4289.html Then, "First unzip all
> >files from the zip folder to a folder or your desktop. Start it and hit ok.
> >Then hit update. A new screen should popup. On that screen hit Check for
> >Updates. If it sais it found an update hit Download Updates. If it doesnt it
> >will automatically tell you and exit. Now for the scanning part. Hit start
> >and then Ok. The program should start scanning. Then hit exit and reboot.
> >
> >Once rebooted run About:Buster once more to make sure everything is ok.
> >The database will be updated very frequently so check your versions once a
> >day."
> >
> >
> >
> >Basic Cleaning - Note that this symptom often indicates the possibility of
> >other malware. You might want go to this page at Jim Eshelman's site, here:
> >http://aumha.org/a/noads.htm or here:
> >http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
> >patient), while an analysis of a number of possible parasites on your
> >machine will be made to help you identify and remove them. NOTE: You will
> >need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad
> >Blocking software which interferes with Java Scripting for this scan to
> >work. You should get a message between the two lines of **** giving the
> >results of the scan.
> >
> >
> >#########IMPORTANT#########
> >All of these removal tools should be run from Safe mode when possible.
> >Reboot and test if the malware is fixed after using each tool.
> >#########IMPORTANT#########
> >
> >
> >Download sysclean.com , from Trend Micro, here:
> >http://www.trendmicro.com/download/dcs.asp along with the latest pattern
> >file, here: http://www.trendmicro.com/download/pattern.asp (You might also
> >want to get Art's updater, SYS-UP.Zip, here for future updating of these:
> >http://home.epix.net/~artnpeg/). Place them in a dedicated folder after
> >appropriate unzipping, and then run. (If you download and use the updater
> >from the beginning, it will handle downloading the other files.)
> >
> >
> >
> >For the general hijack case, the best way to start is to get Ad-Aware 6.0,
> >Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
> >UPDATE, set it up in accordance with this:
> >http://forum.aumha.org/viewtopic.php?t=5877 and run this regularly to get
> >rid of most "spyware/hijackware" on your machine. If it has to fix things,
> >be sure to re-boot and rerun AdAware again and repeat this cycle until you
> >get a clean scan. The reason is that it may have to remove things which are
> >currently "in use" before it can then clean up others.
> >
> >Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
> >wheel at the top and check these options to configure Ad-aware for a
> >customized scan:
> >
> >General> activate these: "Automatically save log-file" and "Automatically
> >quarantine objects prior to removal"
> >
> >Scanning > activate these: "Scan within archives", "Scan active processes",
> >"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
> >sites," and "Scan my Hosts file"
> >
> >Tweaks > Scanning Engine> activate this: "Unload recognized processes during
> >scanning."
> >
> >Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
> >objects prior to deletion" and "Let Windows remove files in use after
> >reboot."
> >
> >Click "Proceed" to save your settings, then click "Start." Make sure
> >"Activate in-depth scan" is ticked green, then scan your system. When the
> >scan is finished, the screen will tell you if anything has been found, click
> >"Next." The bad files will be listed. Right click the pane and click "Select
> >all objects" - This will put a check mark in the box at the side, click
> >"Next" again and click "OK" at the prompt "# objects will be removed.
> >Continue?"
> >
> >
> >Another excellent program for this purpose is SpyBot Search and Destroy
> >available here: http://security.kolla.de/ SpyBot Support Forum here:
> >http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
> >using both normally. After UPDATING and fixing ONLY RED things with SpyBot
> >S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until
> >you get a clean "no red" scan. The reason is that SpyBot sometimes has to
> >remove things which are currently "in use" before it can then clean up
> >others.
> >
> >Note that sometimes you need to make a judgment call about what these
> >programs report as spyware. See here, for example:
> >http://www.imilly.com/alexa.htm
> >
> >
> >A currently common parasite is some malware called CoolWebSearch. Do the
> >following:
> >
> >Download, UPDATE before running, and run:
> >http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
> >Be sure to close all instances of IE and OE. You may also get it here if
> >that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip
> >
> >There's a good tutorial about CWS and using CWShredder here:
> >http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain
> >
> >BE SURE that you get v.159.0.1 or later!
> >
> >You will need to show Hidden files first and then at the end clear the
> >malware garbage from your System Restore backups after you've cleaned up.
> >It's best to perform CWShredder (and most other malware fixers too) from
> >Safe mode and then reboot. AFTER cleaning things up, then you can disable
> >and then re-enable System Restore. See ******** below.
> >
> >The following links give instructions on how to do these various functions:
> >
> >
> >HOW TO Restart in Safe Mode
> >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
> >
> >HOW TO Enable Hidden Files
> >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
> >
> >HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
> >use the suggested procedure for XP at the ******'s)
> >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
> >(WinXP)
> >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
> >(WinME)
> >
> >
> >
> >Then download and run:
> >http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
> >tabs and remove any restrictions that the parasite has put in place.
> >
> >Now download and run:
> >http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
> >your search functions if they've been affected (as they probably will have
> >been).
> >
> >
> >Be sure that you also download and install hotfix Q816093, here:
> >
> >http://support.microsoft.com/?kbid=816093
> >
> >which blocks the exploit upon which this parasite family depends.
> >
> >
> >If they don't fix it then start here:
> >
> >Download HijackThis, free, here:
> >http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
> >fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
> >You may also get it here if that link is blocked:
> >http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
> >
> >In Windows Explorer, click on Tools|Folder Options|View and check "Show
> >hidden files and folders" and uncheck "Hide protected operating system
> >files". (You may want to restore these when you're all finished with
> >HijackThis.)
> >
> >Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
> >at the root level such as C:\HijackThis (NOT in a Temp folder or on your
> >Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
> >when it's finished which will create hijackthis.log. Now click the Config
> >button, then Misc Tools and click on Generate StartupList.log which will
> >create Startuplist.txt
> >
> >
> >Then go to one of the following forums:
> >
> >Spyware and Hijackware Removal Support, here:
> >http://216.180.233.162/~swicom/forums/
> >
> >or Net-Integration here:
> >http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
> >
> >or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
> >
> >Sign in, then copy and paste both files into a message asking for
> >assistance, Someone will answer with detailed instructions for the removal
> >of your parasite(s).
> >
> >
> >*******
> >ONLY IF you've successfully eliminated the malware, you can now make a new,
> >clean Restore Point and delete any previously saved (possibly infected)
> >ones. The following suggested approach is courtesy of Gary Woodruff: For XP
> >you can run a Disk Cleanup cycle and then look in the More Options tab. The
> >System Restore option removes all but the latest Restore Point. If there
> >hasn't been one made since the system was cleaned you should manually create
> >one before dumping the old possibly infected ones.
> >*******
> >
> >
> >Once you get this cleaned up, you might want to consider installing the
> >SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
> >happening in the future:
> >
> >http://www.javacoolsoftware.com/spywareblaster.html>= (Prevents malware
> >Active X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or
> >memory load - but keep it UPDATED) The latest version as of this writing
> >will prevent installation or prevent the malware from running if it is
> >already installed, and it provides information and fixit-links for a variety
> >of parasites.
> >
> >http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
> >install malware) Keep it UPDATED. Both Very Highly Recommended
> >
> >
> >Finally, go to Windows Update and ensure that ALL Critical updates are
> >installed.
> >
> >
> >
> >
> >
> This might be a bit simpler.
>
> http://www.dslreports.com/faq/8428
>
> Follow the procedures on this page first then start your own thread on
> this forum.
>
> http://www.dslreports.com/forum/security
>
> With a bit of luck Calamity Jane will be around to guide you through the
> process.
>
> Roger
>

Quantcast