Re: Homepage keeps resetting itself
From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 09/07/04
- Next message: Jerry: "Re: Info about loading ie6"
- Previous message: Smoker: "Re: Addressing problems in IE6.1"
- In reply to: stuart: "Re: Homepage keeps resetting itself"
- Next in thread: mixon: "RE: Homepage keeps resetting itself"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 6 Sep 2004 21:35:43 -0700
Hi Stuart - Well, you can do as you choose, of course. The approaches I've
outlined are what's been shown to be effective and safe in many (though not
all) of these about:blank cases. However, if you want to just try a
"one-off" to get rid of it, then try either or both of the AboutBuster
approach in the About:Blank Specific section, or the Panda Software's
Titanium Antivirus 2004 approach in Approach 6. AT YOUR OWN RISK, AND WITH
NO GUARANTEES.
-- Please respond in the same thread. Regards, Jim Byrd, MS-MVP "stuart" <stuart@discussions.microsoft.com> wrote in message news:9EFF5F8D-188B-47E1-AC07-9CB86F77C199@microsoft.com... > Many thanks for the detailed responses. But I must say that I'm completely > confused by it all. > > Is there some sort of idiots method, i.e. download an *.exe, run it, reboot > and then everything is all fixed. > > > > "Roger" wrote: > > > Jim Byrd wrote: > > > > >Hi Stuart - We've been seeing this a lot lately, and these are very > > >difficult CWS parasite variants to remove. Read ALL of this carefully to > > >begin with, then try About:Blank Specific and then Basic Cleaning, below > > >FIRST and then ONLY IF NECESSARY Approach 1 and/or Approach 2 and/or > > >Approach 3 and/or Approach 4 and/or Approach 5 and/or Approach 6. > > > > > >********Please post back with your results in detail if possible - what you > > >tried, what happened, how you ended up - so that we'll know better what to > > >advise others.******** > > > > > >#########IMPORTANT######### > > >Before you try to remove spyware using any of the programs below, download > > >both a copy of LSPFIX here: > > > > > >http://www.cexx.org/lspfix.htm > > > > > >AND a copy of Winsockfix > > >http://www.tacktech.com/pub/winsockfix/WinsockFix.zip > > >Directions here: http://www.tacktech.com/display.cfm?ttid=257 > > >The process of removing certain malware may kill your internet connection. > > >If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you > > >to regain your connection. > > >#########IMPORTANT######### > > > > > > > > >Approach 1 - You can try AT YOUR OWN RISK, HSRemove, free, here: > > >http://www.hsremove.com/. "A few days ago I got hijacked - Nothing new in > > >that, except this time it was a real [censored] to get rid of. - There were > > >simply no tools available to remove this "Home Search" thing. Finally I > > >ended up creating my own tool for it. USE IT AT YOUR OWN RISK. And if you > > >find it helpful, then please do not hesitate to make a contribution." > > > > > > > > >Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't advise > > >using a malware provider's uninstall, but this particular approach has been > > >reported to work ONLY IF you have the about:blank CWS variant (there appear > > >to be at least three or four currently) which leads you to a Search page. > > >Paste the following IP into your browser: > > > > > >195.190.118.131 > > > > > >On the screen you arrive at, you see a "Search For" window, and below it a > > >red "Uninstall Software". Download their uninstaller, uninstall.exe. At this > > >point I would either use TotalUninstall or make a complete backup/Restore > > >Point of my system for safety's sake (on the basis of "at least keep what > > >you've got"). Total Uninstall, http://www.geocities.com/ggmartau/tu.html or > > >direct dwnld here: http://files.webattack.com/localdl834/tun234.zip > > > > > >Run this uninstall program that you downloaded from the malware site, then > > >UPDATE them and go to Safe mode to run UPDATED versions CWShredder, AdAware > > >and SpyBot per the directions in Basic, below. > > > > > > > > > > > >Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk > > > > > >"I had a variant of this CWS.SearchX sucker for about 3 weeks, and I FINALLY > > >seem to be rid of it for good! It is aka Troj_StartPage.sp and > > >BackDoor.Agent.BA. This is what I did: > > > > > > > > >1. Run Regedit, and DELETE the following key: > > > > > >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > > >NT\CurrentVersion\Windows\AppInit_DLLs > > > > > >The value of this key may look blank for you, but it is not. They hide the > > >value so you can't see it. This registry key tells Windows to load the > > >Trojan DLL every time ANY application is run giving it complete control to > > >do whatever it wants. So you need to remove it so that the Trojan DLL cannot > > >load and keep re-infecting your PC. The way to remove the registry key is > > >not obvious. If you just delete it from RegEdit, since the Trojan DLL is > > >loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs > > >registry key and hit F5. Notice that it's added right back by the Trojan). > > > > > >So what you have to do is the following which worked for me (many thanks to > > >"acomputerpro" at the SpywareInfo.com forums!) > > > > > >2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows > > >folder to Windows2. > > > > > >3. Now delete the AppInit_DLLs key under the Windows2 folder. > > > > > >4. Hit F5 and notice that AppInit_DLLs doesn't come back. > > > > > >5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is > > >gone, run the latest AdAware 6 to remove the Trojan for good. > > > > > >6. Reboot your machine, and check the registry and make sure AppInit_DLLs is > > >still gone. > > > > > >Your computer should be free of this for good now. Hope it works for you... > > >It seemed to do the trick for me!" > > > > > > > > >Approach 4 - If you've already tried CWShredder to get rid of this parasite > > >(See below, v.159.0.1 or better and fully updated before use), then take a > > >look at this thread about manual removal of this parasite: > > > > > >http://www.akadia.com/services/about_blank_virus.html > > >and this one: http://www.daniweb.com/techtalkforums/thread5531.html > > >and this one: http://computercops.biz/article-5199-nested-0-0.html > > >and this one: http://forum.aumha.org/viewtopic.php?t=6437 > > > > > > > > >Approach 5 - I don't usually recommend anything but freeware that I've > > >confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, here: > > >http://www.adwareaway.com/ claims to fix it automatically, and several users > > >now have reported success using it. I would backup my system before using > > >it, however - always try to "keep what you've got". > > > > > > > > >Approach 6 - It has been reported that the evaluation version of Panda > > >Software's Titanium Antivirus 2004, here: > > >http://www.pandasoftware.com/register.asp?CodigoProducto=13&TipoLead=2&Tipo Usuario=1&Tipo=1&Ref=WW-TIT4-DES&Idioma=2&Country=Us&sec=down > > >will completely remove about:blank. I have not been able to independently > > >verify this yet, however, so this is AT YOUR OWN RISK. You'll have to give > > >them some information, and I expect you may want to uncheck some of the > > >"opt-in" boxes at the bottom just above and below the send button. > > > > > >___________________________________ > > > > > > > > >About:Blank Specific > > > > > >See the procedures here: http://www.pchell.com/support/onlythebest.shtml > > >and especially here: > > >http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp > > > > > >Download AboutBuster, here: http://www.malwarebytes.biz/AboutBuster.zip or > > >here: http://www.majorgeeks.com/download4289.html Then, "First unzip all > > >files from the zip folder to a folder or your desktop. Start it and hit ok. > > >Then hit update. A new screen should popup. On that screen hit Check for > > >Updates. If it sais it found an update hit Download Updates. If it doesnt it > > >will automatically tell you and exit. Now for the scanning part. Hit start > > >and then Ok. The program should start scanning. Then hit exit and reboot. > > > > > >Once rebooted run About:Buster once more to make sure everything is ok. > > >The database will be updated very frequently so check your versions once a > > >day." > > > > > > > > > > > >Basic Cleaning - Note that this symptom often indicates the possibility of > > >other malware. You might want go to this page at Jim Eshelman's site, here: > > >http://aumha.org/a/noads.htm or here: > > >http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be > > >patient), while an analysis of a number of possible parasites on your > > >machine will be made to help you identify and remove them. NOTE: You will > > >need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad > > >Blocking software which interferes with Java Scripting for this scan to > > >work. You should get a message between the two lines of **** giving the > > >results of the scan. > > > > > > > > >#########IMPORTANT######### > > >All of these removal tools should be run from Safe mode when possible. > > >Reboot and test if the malware is fixed after using each tool. > > >#########IMPORTANT######### > > > > > > > > >Download sysclean.com , from Trend Micro, here: > > >http://www.trendmicro.com/download/dcs.asp along with the latest pattern > > >file, here: http://www.trendmicro.com/download/pattern.asp (You might also > > >want to get Art's updater, SYS-UP.Zip, here for future updating of these: > > >http://home.epix.net/~artnpeg/). Place them in a dedicated folder after > > >appropriate unzipping, and then run. (If you download and use the updater > > >from the beginning, it will handle downloading the other files.) > > > > > > > > > > > >For the general hijack case, the best way to start is to get Ad-Aware 6.0, > > >Build 181 or later, here: http://www.lavasoftusa.com/support/download/. > > >UPDATE, set it up in accordance with this: > > >http://forum.aumha.org/viewtopic.php?t=5877 and run this regularly to get > > >rid of most "spyware/hijackware" on your machine. If it has to fix things, > > >be sure to re-boot and rerun AdAware again and repeat this cycle until you > > >get a clean scan. The reason is that it may have to remove things which are > > >currently "in use" before it can then clean up others. > > > > > >Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear > > >wheel at the top and check these options to configure Ad-aware for a > > >customized scan: > > > > > >General> activate these: "Automatically save log-file" and "Automatically > > >quarantine objects prior to removal" > > > > > >Scanning > activate these: "Scan within archives", "Scan active processes", > > >"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned > > >sites," and "Scan my Hosts file" > > > > > >Tweaks > Scanning Engine> activate this: "Unload recognized processes during > > >scanning." > > > > > >Tweaks > Cleaning Engine: activate these: "Automatically try to unregister > > >objects prior to deletion" and "Let Windows remove files in use after > > >reboot." > > > > > >Click "Proceed" to save your settings, then click "Start." Make sure > > >"Activate in-depth scan" is ticked green, then scan your system. When the > > >scan is finished, the screen will tell you if anything has been found, click > > >"Next." The bad files will be listed. Right click the pane and click "Select > > >all objects" - This will put a check mark in the box at the side, click > > >"Next" again and click "OK" at the prompt "# objects will be removed. > > >Continue?" > > > > > > > > >Another excellent program for this purpose is SpyBot Search and Destroy > > >available here: http://security.kolla.de/ SpyBot Support Forum here: > > >http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend > > >using both normally. After UPDATING and fixing ONLY RED things with SpyBot > > >S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until > > >you get a clean "no red" scan. The reason is that SpyBot sometimes has to > > >remove things which are currently "in use" before it can then clean up > > >others. > > > > > >Note that sometimes you need to make a judgment call about what these > > >programs report as spyware. See here, for example: > > >http://www.imilly.com/alexa.htm > > > > > > > > >A currently common parasite is some malware called CoolWebSearch. Do the > > >following: > > > > > >Download, UPDATE before running, and run: > > >http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite. > > >Be sure to close all instances of IE and OE. You may also get it here if > > >that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip > > > > > >There's a good tutorial about CWS and using CWShredder here: > > >http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain > > > > > >BE SURE that you get v.159.0.1 or later! > > > > > >You will need to show Hidden files first and then at the end clear the > > >malware garbage from your System Restore backups after you've cleaned up. > > >It's best to perform CWShredder (and most other malware fixers too) from > > >Safe mode and then reboot. AFTER cleaning things up, then you can disable > > >and then re-enable System Restore. See ******** below. > > > > > >The following links give instructions on how to do these various functions: > > > > > > > > >HOW TO Restart in Safe Mode > > >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 > > > > > >HOW TO Enable Hidden Files > > >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339 > > > > > >HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or > > >use the suggested procedure for XP at the ******'s) > > >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 > > >(WinXP) > > >http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239 > > >(WinME) > > > > > > > > > > > >Then download and run: > > >http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your > > >tabs and remove any restrictions that the parasite has put in place. > > > > > >Now download and run: > > >http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore > > >your search functions if they've been affected (as they probably will have > > >been). > > > > > > > > >Be sure that you also download and install hotfix Q816093, here: > > > > > >http://support.microsoft.com/?kbid=816093 > > > > > >which blocks the exploit upon which this parasite family depends. > > > > > > > > >If they don't fix it then start here: > > > > > >Download HijackThis, free, here: > > >http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new > > >fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.) > > >You may also get it here if that link is blocked: > > >http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552 982a8baee6434cfc13 > > > > > >In Windows Explorer, click on Tools|Folder Options|View and check "Show > > >hidden files and folders" and uncheck "Hide protected operating system > > >files". (You may want to restore these when you're all finished with > > >HijackThis.) > > > > > >Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder > > >at the root level such as C:\HijackThis (NOT in a Temp folder or on your > > >Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog > > >when it's finished which will create hijackthis.log. Now click the Config > > >button, then Misc Tools and click on Generate StartupList.log which will > > >create Startuplist.txt > > > > > > > > >Then go to one of the following forums: > > > > > >Spyware and Hijackware Removal Support, here: > > >http://216.180.233.162/~swicom/forums/ > > > > > >or Net-Integration here: > > >http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d5 7b5f65b6e40c55365e;act=ST;f=27;t=6949 > > > > > >or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx > > > > > >Sign in, then copy and paste both files into a message asking for > > >assistance, Someone will answer with detailed instructions for the removal > > >of your parasite(s). > > > > > > > > >******* > > >ONLY IF you've successfully eliminated the malware, you can now make a new, > > >clean Restore Point and delete any previously saved (possibly infected) > > >ones. The following suggested approach is courtesy of Gary Woodruff: For XP > > >you can run a Disk Cleanup cycle and then look in the More Options tab. The > > >System Restore option removes all but the latest Restore Point. If there > > >hasn't been one made since the system was cleaned you should manually create > > >one before dumping the old possibly infected ones. > > >******* > > > > > > > > >Once you get this cleaned up, you might want to consider installing the > > >SpywareBlaster and SpywareGuard here to help prevent this kind of thing from > > >happening in the future: > > > > > >http://www.javacoolsoftware.com/spywareblaster.html>= (Prevents malware > > >Active X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or > > >memory load - but keep it UPDATED) The latest version as of this writing > > >will prevent installation or prevent the malware from running if it is > > >already installed, and it provides information and fixit-links for a variety > > >of parasites. > > > > > >http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to > > >install malware) Keep it UPDATED. Both Very Highly Recommended > > > > > > > > >Finally, go to Windows Update and ensure that ALL Critical updates are > > >installed. > > > > > > > > > > > > > > > > > This might be a bit simpler. > > > > http://www.dslreports.com/faq/8428 > > > > Follow the procedures on this page first then start your own thread on > > this forum. > > > > http://www.dslreports.com/forum/security > > > > With a bit of luck Calamity Jane will be around to guide you through the > > process. > > > > Roger > >
- Next message: Jerry: "Re: Info about loading ie6"
- Previous message: Smoker: "Re: Addressing problems in IE6.1"
- In reply to: stuart: "Re: Homepage keeps resetting itself"
- Next in thread: mixon: "RE: Homepage keeps resetting itself"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
