Re: Homepage has been hijacked & registry has been changed

From: cacdrc (cacdrc_at_msusers.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 12:33:08 -0800

I'll follow your steps when I get home tonight but I'm a little confused
about something. You said to run all programs offline in safe mode and show
hidden files. That I follow. Then you said to reboot & run them again. Do I
reboot in safe mood? Also, did you want me to download About Buster?

"Jan Il" wrote:

> Hi cacdrc :-)
>
> This may be a newer variant of about: blank. Methods that previously removed
> the previous variant may not have any effect on it. Try the following and
> follow the instructions carefully. This variant replicates itself, thus, you
> must fully clean it from your system. This coolwebsearch infection uses a
> hidden dll to reinfect, thus it replicates itself over and over if not
> removed properly.
>
> <<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>
>
> CAUTION!!!!!
> Before you try to remove spyware using any of the programs below, download a
> copy of LSPFIX from any of the following sites:
> http://www.cexx.org/lspfix.htm
> http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
> XP) The process of removing certain malware may kill your internet
> connection. If this should occur, this program, LSPFIX, will enable you to
> regain your connection.
>
> Also, get a copy of WINSOCKFIX available at:
> http://www.spychecker.com/program/winsockxpfix.html
>
> IMPORTANT!!
> RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
> FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
> ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT
>
> HOW TO Restart in Safe Mode
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> About Buster
> http://www.majorgeeks.com/download4289.html
>
> and......
>
> Like any disinfection procedure, it's a bit risky - it deletes an important
> registry key and subsequently restores a revised version. If something goes
> wrong, your PC may no longer work normally.
>
> YOU USE THIS PROCEDURE AT YOUR OWN RISK!
>
> Download Registrar Lite 2.0, install it and run it.
> http://www.majorgeeks.com/download469.html
> http://www.softpedia.com/public/cat/12/5/12-5-21.shtml
>
> Navigate to this key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
> (note...should be all on one line)
> and look at the AppInit_Dlls value.
>
> Write down the name of the DLL file that's displayed!
>
> (If you see several values separated by commas or spaces, which is unlikely,
> use Windows Explorer to search for each one in the Windows\System32 or
> Winnt\System32 directory. The one you can't find is the one to remember!)
>
> Exit Registrar Lite.
>
> Download and run this script. It will delete the CWS AppInit_Dlls value and
> reboot Windows. After the reboot, the shield-DLL file is still on the hard
> disk, but it's no longer a threat to your PC.
> http://www.silentrunners.org/CWS%20Shield%20Dropper.vbs
>
> Download Silent Runners here:
> http://www.silentrunners.org/Silent%20Runners.vbs
> Run it and look at the list of Browser Helper Objects. One of them will have
> a strange name. Write down the the file name (including the full path)!
>
> (If you're not sure which BHO was installed by CWS, reboot into Safe Mode
> and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
> also available to identify and delete BHO pests.)
>
> Download and run this script to delete the CWS shield-DLL and the BHO files.
> No reboot will be required.
> http://www.silentrunners.org/CWS%20File%20Cleaner.vbs
>
> Reset your Internet Explorer home page. Your PC should now run normally.
>
> If these steps do not resolve your problem, please post back to this thread
> with the details and any error messages.
>
> Hope this helps
>
> Jan :)
> Smiles are meant to be shared,
> that's why they're so contagious.
>
> Please reply to the newsgroup so others may benefit.
> Replies are posted only to the newsgroup for the benefit or other readers.
>
> How to make a good newsgroup post:
> http://www.dts-l.org/goodpost.htm
>
>
>
> > My home page has been hijacked to www.aflashcounter.com. I've tried to
> > correct the problem with Norton AntiVirus, AdawareSE, Spybot, Aluria,
> > CWShredder, etc. but nothing seems to fix the problem. Every time I run a
> new
> > HijackThis log file the problem is back. My registry has been changed too.
> I
> > can see the name "aflashcounter" on some of the registry keys. What can I
> do
> > to get this off my PC?
>
>
>

Relevant Pages

  • Re: Massive problem with Windows 2000 and my computer
    ... Reboot your system when ... After doing so, download ... > I went into safe mode and removed all of the "Windows Hot ... presumably because I touched the windows updates. ...
    (microsoft.public.win2000.general)
  • Re: Homepage has been hijacked & registry has been changed
    ... This may be a newer variant of about: ... THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES ... Download Registrar Lite 2.0, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: MIE Add/remove programs
    ... You may already have a virus/spyware hijack ... download the Stinger from here and run it to make sure that A-V-disabling ... Reboot to Safe Mode and run CWShredder - to remove variants of the ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Windows Trojan
    ... And I clicked for reboot the computer. ... My PC restart instead of running in safe mode. ... > FireWall to allow it to download the needed AV vendor related files. ... > This will bring up the initial menu of choices and should be executed in Normal Mode. ...
    (microsoft.public.security.virus)
  • Re: Anyone seen these possible virus Drivers?
    ... On the attempt to reboot, Windows got a driver ... Please download, install and update the following software... ... I suggest scanning the system in Safe Mode. ...
    (microsoft.public.security.virus)
Quantcast