Re: Homepage has been hijacked & registry has been changed

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jan Il (abuse_at_localhost.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 14:39:22 -0500

Hi cacdrc :-)

This may be a newer variant of about: blank. Methods that previously removed
the previous variant may not have any effect on it. Try the following and
follow the instructions carefully. This variant replicates itself, thus, you
must fully clean it from your system. This coolwebsearch infection uses a
hidden dll to reinfect, thus it replicates itself over and over if not
removed properly.

<<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>

CAUTION!!!!!
Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP) The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.

Also, get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

IMPORTANT!!
RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT

HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

About Buster
http://www.majorgeeks.com/download4289.html

and......

Like any disinfection procedure, it's a bit risky - it deletes an important
registry key and subsequently restores a revised version. If something goes
wrong, your PC may no longer work normally.

YOU USE THIS PROCEDURE AT YOUR OWN RISK!

Download Registrar Lite 2.0, install it and run it.
http://www.majorgeeks.com/download469.html
http://www.softpedia.com/public/cat/12/5/12-5-21.shtml

Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(note...should be all on one line)
and look at the AppInit_Dlls value.

Write down the name of the DLL file that's displayed!

(If you see several values separated by commas or spaces, which is unlikely,
use Windows Explorer to search for each one in the Windows\System32 or
Winnt\System32 directory. The one you can't find is the one to remember!)

Exit Registrar Lite.

Download and run this script. It will delete the CWS AppInit_Dlls value and
reboot Windows. After the reboot, the shield-DLL file is still on the hard
disk, but it's no longer a threat to your PC.
http://www.silentrunners.org/CWS%20Shield%20Dropper.vbs

Download Silent Runners here:
http://www.silentrunners.org/Silent%20Runners.vbs
Run it and look at the list of Browser Helper Objects. One of them will have
a strange name. Write down the the file name (including the full path)!

(If you're not sure which BHO was installed by CWS, reboot into Safe Mode
and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
also available to identify and delete BHO pests.)

Download and run this script to delete the CWS shield-DLL and the BHO files.
No reboot will be required.
http://www.silentrunners.org/CWS%20File%20Cleaner.vbs

Reset your Internet Explorer home page. Your PC should now run normally.

If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan :)
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

> My home page has been hijacked to www.aflashcounter.com. I've tried to
> correct the problem with Norton AntiVirus, AdawareSE, Spybot, Aluria,
> CWShredder, etc. but nothing seems to fix the problem. Every time I run a
new
> HijackThis log file the problem is back. My registry has been changed too.
I
> can see the name "aflashcounter" on some of the registry keys. What can I
do
> to get this off my PC?

Relevant Pages

  • Re: "about:blank" home page
    ... If you have not yet run this program, download and run the About Buster, then run the HJT to scan your system and post the log according to the information provided by PA Bear. ... This may be a newer variant of about: ... THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES ... DO NOT install in your Desktop folder. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Homepage has been hijacked & registry has been changed
    ... You said to run all programs offline in safe mode and show ... Then you said to reboot & run them again. ... did you want me to download About Buster? ... > Download Registrar Lite 2.0, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Home Search Hijack
    ... This may be a newer variant of about: ... Unzip the Download file in a NEW FOLDER that you can create before you start ... DO NOT install in your Desktop folder. ... and download HiJackThis to the new folder. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: "about:blank" home page
    ... This may be a newer variant of about: ... Unzip the Download file in a NEW FOLDER that you can create before you start ... DO NOT install in your Desktop folder. ... Download Registrar Lite 2.0, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Current security settings put your computer at risk ...
    ... They want me to disable or at least prompt "Download Active X ... ... Reboot and ... ... Download, install, run, update and perform a full scan with the ... Download/Install the latest Windows Installer: ...
    (microsoft.public.windowsxp.security_admin)