Re: Homepage keeps resetting itself

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 09/07/04 

Date: Mon, 6 Sep 2004 21:35:43 -0700

Hi Stuart - Well, you can do as you choose, of course. The approaches I've
outlined are what's been shown to be effective and safe in many (though not
all) of these about:blank cases. However, if you want to just try a
"one-off" to get rid of it, then try either or both of the AboutBuster
approach in the About:Blank Specific section, or the Panda Software's
Titanium Antivirus 2004 approach in Approach 6. AT YOUR OWN RISK, AND WITH
NO GUARANTEES. 

-- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
"stuart" <stuart@discussions.microsoft.com> wrote in message
news:9EFF5F8D-188B-47E1-AC07-9CB86F77C199@microsoft.com...
> Many thanks for the detailed responses. But I must say that I'm completely
> confused by it all.
>
> Is there some sort of idiots method, i.e. download an *.exe, run it,
reboot
> and then everything is all fixed.
>
>
>
> "Roger" wrote:
>
> > Jim Byrd wrote:
> >
> > >Hi Stuart - We've been seeing this a lot lately, and these are very
> > >difficult CWS parasite variants to remove.  Read ALL of this carefully
to
> > >begin with, then try About:Blank Specific and then Basic Cleaning,
below
> > >FIRST and then ONLY IF NECESSARY Approach 1 and/or Approach 2 and/or
> > >Approach 3 and/or Approach 4 and/or Approach 5 and/or Approach 6.
> > >
> > >********Please post back with your results in detail if possible - what
you
> > >tried, what happened, how you ended up - so that we'll know better what
to
> > >advise others.********
> > >
> > >#########IMPORTANT#########
> > >Before you try to remove spyware using any of the programs below,
download
> > >both a copy of LSPFIX here:
> > >
> > >http://www.cexx.org/lspfix.htm
> > >
> > >AND a copy of Winsockfix
> > >http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
> > >Directions here:  http://www.tacktech.com/display.cfm?ttid=257
> > >The process of removing certain malware may kill your internet
connection.
> > >If this should occur, these programs, LSPFIX and WINSOCKFIX, will
enable you
> > >to regain your connection.
> > >#########IMPORTANT#########
> > >
> > >
> > >Approach 1 - You can try AT YOUR OWN RISK, HSRemove, free, here:
> > >http://www.hsremove.com/.   "A few days ago I got hijacked - Nothing
new in
> > >that, except this time it was a real [censored] to get rid of. - There
were
> > >simply no tools available to remove this "Home Search" thing. Finally I
> > >ended up creating my own tool for it. USE IT AT YOUR OWN RISK. And if
you
> > >find it helpful, then please do not hesitate to make a contribution."
> > >
> > >
> > >Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't
advise
> > >using a malware provider's uninstall, but this particular approach has
been
> > >reported to work ONLY IF you have the about:blank CWS variant (there
appear
> > >to be at least three or four currently) which leads you to a Search
page.
> > >Paste the following IP into your browser:
> > >
> > >195.190.118.131
> > >
> > >On the screen you arrive at, you see a "Search For" window, and below
it a
> > >red "Uninstall Software". Download their uninstaller, uninstall.exe. At
this
> > >point I would either use TotalUninstall or make a complete
backup/Restore
> > >Point of my system for safety's sake (on the basis of "at least keep
what
> > >you've got"). Total Uninstall,
http://www.geocities.com/ggmartau/tu.html  or
> > >direct dwnld here:  http://files.webattack.com/localdl834/tun234.zip
> > >
> > >Run this uninstall program that you downloaded from the malware site,
then
> > >UPDATE them and go to Safe mode to run UPDATED versions CWShredder,
AdAware
> > >and SpyBot per the directions in Basic, below.
> > >
> > >
> > >
> > >Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk
> > >
> > >"I had a variant of this CWS.SearchX sucker for about 3 weeks, and I
FINALLY
> > >seem to be rid of it for good! It is aka Troj_StartPage.sp and
> > >BackDoor.Agent.BA. This is what I did:
> > >
> > >
> > >1. Run Regedit, and DELETE the following key:
> > >
> > >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > >NT\CurrentVersion\Windows\AppInit_DLLs
> > >
> > >The value of this key may look blank for you, but it is not. They hide
the
> > >value so you can't see it. This registry key tells Windows to load the
> > >Trojan DLL every time ANY application is run giving it complete control
to
> > >do whatever it wants. So you need to remove it so that the Trojan DLL
cannot
> > >load and keep re-infecting your PC. The way to remove the registry key
is
> > >not obvious. If you just delete it from RegEdit, since the Trojan DLL
is
> > >loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs
> > >registry key and hit F5. Notice that it's added right back by the
Trojan).
> > >
> > >So what you have to do is the following which worked for me (many
thanks to
> > >"acomputerpro" at the SpywareInfo.com forums!)
> > >
> > >2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
> > >folder to Windows2.
> > >
> > >3. Now delete the AppInit_DLLs key under the Windows2 folder.
> > >
> > >4. Hit F5 and notice that AppInit_DLLs doesn't come back.
> > >
> > >5. Rename the Windows2 folder back to Windows.  Now that AppInit_DLLs
is
> > >gone, run the latest AdAware 6 to remove the Trojan for good.
> > >
> > >6. Reboot your machine, and check the registry and make sure
AppInit_DLLs is
> > >still gone.
> > >
> > >Your computer should be free of this for good now. Hope it works for
you...
> > >It seemed to do the trick for me!"
> > >
> > >
> > >Approach 4 - If you've already tried CWShredder to get rid of this
parasite
> > >(See below, v.159.0.1 or better and fully updated before use), then
take a
> > >look at this thread about manual removal of this parasite:
> > >
> > >http://www.akadia.com/services/about_blank_virus.html
> > >and this one:  http://www.daniweb.com/techtalkforums/thread5531.html
> > >and this one:  http://computercops.biz/article-5199-nested-0-0.html
> > >and this one:  http://forum.aumha.org/viewtopic.php?t=6437
> > >
> > >
> > >Approach 5 - I don't usually recommend anything but freeware that I've
> > >confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away,
here:
> > >http://www.adwareaway.com/ claims to fix it automatically, and several
users
> > >now have reported success using it.  I would backup my system before
using
> > >it, however - always try to "keep what you've got".
> > >
> > >
> > >Approach 6 - It has been reported that the evaluation version of Panda
> > >Software's Titanium Antivirus 2004, here:
> >
>http://www.pandasoftware.com/register.asp?CodigoProducto=13&TipoLead=2&Tipo
Usuario=1&Tipo=1&Ref=WW-TIT4-DES&Idioma=2&Country=Us&sec=down
> > >will completely remove about:blank.  I have not been able to
independently
> > >verify this yet, however, so this is AT YOUR OWN RISK.  You'll have to
give
> > >them some information, and I expect you may want to uncheck some of the
> > >"opt-in" boxes at the bottom just above and below the send button.
> > >
> > >___________________________________
> > >
> > >
> > >About:Blank Specific
> > >
> > >See the procedures here:
http://www.pchell.com/support/onlythebest.shtml
> > >and especially here:
> > >http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp
> > >
> > >Download AboutBuster, here:
http://www.malwarebytes.biz/AboutBuster.zip or
> > >here:  http://www.majorgeeks.com/download4289.html Then, "First unzip
all
> > >files from the zip folder to a folder or your desktop. Start it and hit
ok.
> > >Then hit update. A new screen should popup. On that screen hit Check
for
> > >Updates. If it sais it found an update hit Download Updates. If it
doesnt it
> > >will automatically tell you and exit. Now for the scanning part. Hit
start
> > >and then Ok. The program should start scanning. Then hit exit and
reboot.
> > >
> > >Once rebooted run About:Buster once more to make sure everything is ok.
> > >The database will be updated very frequently so check your versions
once a
> > >day."
> > >
> > >
> > >
> > >Basic Cleaning - Note that this symptom often indicates the possibility
of
> > >other malware.  You might want go to this page at Jim Eshelman's site,
here:
> > >http://aumha.org/a/noads.htm or here:
> > >http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
> > >patient), while an analysis of a number of possible parasites on your
> > >machine will be made to help you identify and remove them. NOTE: You
will
> > >need to disable Ad Blocking in Zone Alarm 3.x, if present or any other
Ad
> > >Blocking software which interferes with Java Scripting for this scan to
> > >work. You should get a message between the two lines of **** giving the
> > >results of the scan.
> > >
> > >
> > >#########IMPORTANT#########
> > >All of these removal tools should be run from Safe mode when possible.
> > >Reboot and test if the malware is fixed after using each tool.
> > >#########IMPORTANT#########
> > >
> > >
> > >Download    sysclean.com    , from Trend Micro, here:
> > >http://www.trendmicro.com/download/dcs.asp along with the latest
pattern
> > >file, here:  http://www.trendmicro.com/download/pattern.asp  (You might
also
> > >want to get Art's updater, SYS-UP.Zip, here for future updating of
these:
> > >http://home.epix.net/~artnpeg/).  Place them in a dedicated folder
after
> > >appropriate unzipping, and then run.  (If you download and use the
updater
> > >from the beginning, it will handle downloading the other files.)
> > >
> > >
> > >
> > >For the general hijack case, the best way to start is to get Ad-Aware
6.0,
> > >Build 181 or later, here:
http://www.lavasoftusa.com/support/download/.
> > >UPDATE, set it up in accordance with this:
> > >http://forum.aumha.org/viewtopic.php?t=5877 and run this regularly to
get
> > >rid of most "spyware/hijackware" on  your machine. If it has to fix
things,
> > >be sure to re-boot and rerun AdAware again and repeat this cycle until
you
> > >get a clean scan. The reason is that it may have to remove things which
are
> > >currently "in use" before it can then clean up others.
> > >
> > >Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the
gear
> > >wheel at the top and check these options to configure Ad-aware for a
> > >customized scan:
> > >
> > >General> activate these: "Automatically save log-file" and
"Automatically
> > >quarantine objects prior to removal"
> > >
> > >Scanning > activate these: "Scan within archives", "Scan active
processes",
> > >"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
> > >sites," and "Scan my Hosts file"
> > >
> > >Tweaks > Scanning Engine> activate this: "Unload recognized processes
during
> > >scanning."
> > >
> > >Tweaks > Cleaning Engine: activate these: "Automatically try to
unregister
> > >objects prior to deletion" and "Let Windows remove files in use after
> > >reboot."
> > >
> > >Click "Proceed" to save your settings, then click "Start." Make sure
> > >"Activate in-depth scan" is ticked green, then scan your system. When
the
> > >scan is finished, the screen will tell you if anything has been found,
click
> > >"Next." The bad files will be listed. Right click the pane and click
"Select
> > >all objects" - This will put a check mark in the box at the side, click
> > >"Next" again and click "OK" at the prompt "# objects will be removed.
> > >Continue?"
> > >
> > >
> > >Another excellent program for this purpose is SpyBot Search and Destroy
> > >available here:  http://security.kolla.de/  SpyBot Support Forum here:
> > >http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi.   I
recommend
> > >using both normally.  After UPDATING and fixing ONLY RED things with
SpyBot
> > >S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle
until
> > >you get a clean "no red" scan.  The reason is that SpyBot sometimes has
to
> > >remove things which are currently "in use" before it can then clean up
> > >others.
> > >
> > >Note that sometimes you need to make a judgment call about what these
> > >programs report as spyware. See here, for example:
> > >http://www.imilly.com/alexa.htm
> > >
> > >
> > >A currently common parasite is some malware called CoolWebSearch. Do
the
> > >following:
> > >
> > >Download, UPDATE before running, and run:
> > >http://209.133.47.200/~merijn/files/CWShredder.exe to remove the
parasite.
> > >Be sure to close all instances of IE and OE. You may also get it here
if
> > >that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
> > >
> > >There's a good tutorial about CWS and using CWShredder here:
> > >http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain
> > >
> > >BE SURE that you get v.159.0.1 or later!
> > >
> > >You will need to show Hidden files first and then at the end clear the
> > >malware garbage from your System Restore backups after you've cleaned
up.
> > >It's best to perform CWShredder (and most other malware fixers too)
from
> > >Safe mode and then reboot. AFTER cleaning things up, then you can
disable
> > >and then re-enable System Restore. See ******** below.
> > >
> > >The following links give instructions on how to do these various
functions:
> > >
> > >
> > >HOW TO Restart in Safe Mode
> >
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
> > >
> > >HOW TO Enable Hidden Files
> >
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
> > >
> > >HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning
or
> > >use the suggested procedure for XP at the ******'s)
> >
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
> > >(WinXP)
> >
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
> > >(WinME)
> > >
> > >
> > >
> > >Then download and run:
> > >http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore
your
> > >tabs and remove any restrictions that the parasite has put in place.
> > >
> > >Now download and run:
> > >http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to
restore
> > >your search functions if they've been affected (as they probably will
have
> > >been).
> > >
> > >
> > >Be sure that you also download and install hotfix Q816093, here:
> > >
> > >http://support.microsoft.com/?kbid=816093
> > >
> > >which blocks the exploit upon which this parasite family depends.
> > >
> > >
> > >If they don't fix it then start here:
> > >
> > >Download HijackThis, free, here:
> > >http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a
new
> > >fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)
> > >You may also get it here if that link is blocked:
> >
>http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552
982a8baee6434cfc13
> > >
> > >In Windows Explorer, click on Tools|Folder Options|View and check "Show
> > >hidden files and folders" and uncheck "Hide protected operating system
> > >files". (You may want to restore these when you're all finished with
> > >HijackThis.)
> > >
> > >Place HijackThis.exe or unzip HijackThis.zip into its own dedicated
folder
> > >at the root level such as C:\HijackThis (NOT in a Temp folder or on
your
> > >Desktop), reboot to Safe mode, start HT then press Scan. Click on
SaveLog
> > >when it's finished which will create hijackthis.log. Now click the
Config
> > >button, then Misc Tools and click on Generate StartupList.log which
will
> > >create Startuplist.txt
> > >
> > >
> > >Then go to one of the following forums:
> > >
> > >Spyware and Hijackware Removal Support, here:
> > >http://216.180.233.162/~swicom/forums/
> > >
> > >or Net-Integration here:
> >
>http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d5
7b5f65b6e40c55365e;act=ST;f=27;t=6949
> > >
> > >or Tom Coyote here:  http://forums.tomcoyote.org/index.php?act=idx
> > >
> > >Sign in, then copy and paste both files into a message asking for
> > >assistance, Someone will answer with detailed instructions for the
removal
> > >of your parasite(s).
> > >
> > >
> > >*******
> > >ONLY IF you've successfully eliminated the malware, you can now make a
new,
> > >clean Restore Point and delete any previously saved (possibly infected)
> > >ones. The following suggested approach is courtesy of Gary Woodruff:
For XP
> > >you can run a Disk Cleanup cycle and then look in the More Options tab.
The
> > >System Restore option removes all but the latest Restore Point. If
there
> > >hasn't been one made since the system was cleaned you should manually
create
> > >one before dumping the old possibly infected ones.
> > >*******
> > >
> > >
> > >Once you get this cleaned up, you might want to consider installing the
> > >SpywareBlaster and SpywareGuard here to help prevent this kind of thing
from
> > >happening in the future:
> > >
> > >http://www.javacoolsoftware.com/spywareblaster.html>= (Prevents malware
> > >Active X installs) (BTW, SpyWareBlaster is not memory resident ... no
CPU or
> > >memory load - but keep it UPDATED) The latest version as of this
writing
> > >will prevent installation or prevent the malware from running if it is
> > >already installed, and it provides information and fixit-links for a
variety
> > >of parasites.
> > >
> > >http://www.javacoolsoftware.com/spywareguard.html (Monitors for
attempts to
> > >install malware) Keep it UPDATED. Both Very Highly Recommended
> > >
> > >
> > >Finally, go to Windows Update and ensure that ALL Critical updates are
> > >installed.
> > >
> > >
> > >
> > >
> > >
> > This might be a bit simpler.
> >
> > http://www.dslreports.com/faq/8428
> >
> > Follow the procedures on this page first then start your own thread on
> > this forum.
> >
> > http://www.dslreports.com/forum/security
> >
> > With a bit of luck Calamity Jane will be around to guide you through the
> > process.
> >
> > Roger
> >