Hijacking

[Dave]

Hello,
My browser is changing itself to "netspry.com". I keep
reseting my browser to my default but it keeps getting
hijacked. Has anyone any idea how to remove this menace?

 

[Jim Byrd]

Hi Dave - This might be a variant of some malware called CoolWebSearch (if
not, then see HijackThis, below). Do the following:

Download, UPDATE before running, and run:
http://www.merijn.org/files/cwshredder.zip to remove the parasite. Be sure
to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Guest]

----- Dave wrote: ----

Hello
My browser is changing itself to "netspry.com". I keep
reseting my browser to my default but it keeps getting
hijacked. Has anyone any idea how to remove this menace

Hi Dave

Perhaps you've already taken care of your problem. If not, follow directions below. I had exactly the same dilemma and I used an advice of a guy whose instructions (included below) I found just recently

Do it following these steps

1. Go to RegEdit and using Find option, locate all netspry entries and delete them

2. Find the winpage.dll in your computer (it is most probably in c:\program files\homepage), uncheck the hidden file box, and delete it

3. Look in RegEdit and you wil notice that this dll has registered the following GUIDS

HKEY_CLASSES_ROOT\TypeLib\{C4C16842-A83E-4FC1-B9EF-995F764DA9B2
HKEY_CLASSES_ROOT\CLSID\{12DF6E3E-6272-4AE8-880B-2158D60791C0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12DF6E3E-6272-4AE8-880B-2158D60791C0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4C16842-A83E-4FC1-B9EF-995F764DA9B2

It worked on my computer. I hope it will work on yours

 

[Roy]

----- Dave wrote: -----

Hello,
My browser is changing itself to "netspry.com". I keep
reseting my browser to my default but it keeps getting
hijacked. Has anyone any idea how to remove this menace?

Hi Dave,

Perhaps you've already taken care of your problem. If not, follow directions below. I had exactly the same dilemma and I used an advice of a guy whose instructions (included below) I found just recently.

Do it following these steps:

1. Go to RegEdit and using Find option, locate all netspry entries and delete them.

2. Find the winpage.dll in your computer (it is most probably in c:\program files\homepage), uncheck the hidden file box, and delete it.

3. Look in RegEdit and you wil notice that this dll has registered the following GUIDS:

HKEY_CLASSES_ROOT\TypeLib\{C4C16842-A83E-4FC1-B9EF-995F764DA9B2}
HKEY_CLASSES_ROOT\CLSID\{12DF6E3E-6272-4AE8-880B-2158D60791C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12DF6E3E-6272-4AE8-880B-2158D60791C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4C16842-A83E-4FC1-B9EF-995F764DA9B2}

It worked on my computer. I hope it will work on yours.

My wife is having the Netspry problem and it is frustrating us both!!
I have not been able to download "Hijack This" from any link in any of
these postings.Keep getting connection was refused message. I have
Zone Alarm (free), but it doesn't seem to be a message from ZA.

My real question for "zagarek" is the HKEY lines mentioned in your
message - are they to be deleted or what?

Many thanks! If I can rid her of this pest, I'll be a hero - but I'll
give you credit.

 

[Mike Burgess]

Roy,
You can download HijackThis 1.97.7 from:
http://www.majorgeeks.com/download3155.html

http://www.netspry.com/uninstall.html
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 02-18-04]
Please post replies to this Newsgroup, email address is invalid
--

"zegarek" <[email protected]> wrote in message

directions below. I had exactly the same dilemma and I used an advice of a
guy whose instructions (included below) I found just recently.