Re: Hyperactive Hyperlinks

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 05/27/04 

Date: Thu, 27 May 2004 10:19:49 -0700

Hi Amanda -
Sounds like this might be a variant of some malware called CoolWebSearch (if
not, then see AdAware, SpyBot, and HijackThis, below). Do the following:

Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

You will need to disable System Restore and then reboot your system

in order to clear the CWS garbage from the backups. After rebooting, then

re-enable System Restore.

The following link gives instructions on how to disable it:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam&docid=2001012513122239&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.

However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove things
which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

If they don't fix it then start here:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Unzip the downloaded HijackThis to any convenient folder, start it then
press Scan. Click on SaveLog when it's finished which will create
hijackthis.log. Now click the Config button, then Misc Tools and click on
Generate StartupList.log which will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:

http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).

Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended 

-- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
 In news:134e601c443e5$d354ac50$a401280a@phx.gbl,
Amanda <anonymous@discussions.microsoft.com> typed:
> I have been having a problem with internet explorer 6.0
> where it creates hyperlinks on random words which lead to
> a site called www.ntsearch.com. It also constantly reports
> that explorer cannot open the site (in hotmail especially)
> and aborts the operation. Also, whenever I come to the
> support sites for MSN and explorer, my mouse flickers and
> the page shivers!!  I have updated everything on my
> computer, installed a firewall, done the sasser worm
> removal, EVERYTHING!! What can I do??
>
> It started on my computer, and now is on the other one in
> the intranet.
>
> HELP!!
Quantcast