Hi Lucille - You've been hijacked by a parasite called KeenValue. Start
here:
http://www.doxdesk.com/parasite/KeenValue.html
Then, if you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, here:
http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine. If it has to fix things, be sure to re-boot and rerun
AdAware again and repeat this cycle until you get a clean scan. The reason
is that it may have to remove things which are currently "in use" before it
can then clean up others.
Another excellent program for this purpose is SpyBot Search and Destroy
available here:
http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally (at least once per week). After fixing things with
SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle
until you get a clean "no red" scan. The reason is that SpyBot sometimes
has to remove things which are currently "in use" before it can then clean
up others.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip See also,
HijackThis Quick Start Help,
http://www.tomcoyote.org/hjt/ (Recommended)
This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php
Another program giving a good inventory of all of the possible start vectors
is AutostartExplorer, here:
http://www.misec.net/aexp.jsp While it doesn't
allow control of startups, it's extremely comprehensive in examining all of
the possible sources. Highly Recommended
Next, go here:
http://www.mlin.net/StartupCPL.shtml and get Mike Lin's
Startup Control Panel applet. A somewhat more difficult to use but more
extensive program to do the same thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html, or even better, Autoruns from
here:
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns. Be
very careful about doing any Registry modifications directly unless you're
comfortable with this, and be sure that you BACKUP your Registry before
making any changes, so that you can recover if something goes wrong.
Changes made with StartUpCPL are less likely to cause problems, and are
usually a matter of just re-enabling the particular program. Another
program of this type that I can recommend is StartMan, free, here:
http://www.spywareinfo.com/downloads/startman/. If you have problems with
suspected hijackers, you can look up and investigate suspect programs in
your StartUp lists here:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm (Recommended)
http://www.3feetunder.com/krick/startup/list.html (Recommended)
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (Recommended)
Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop
http://www.pcmag.com/article2/0,4149,270,00.asp
(Unfortunately, no longer free from that link but you can read about it
there, and here is a direct download link for it:
http://websec.arcady.fr/bhocop.zip) and take a look at what BHO's are
currently installed. Some things like AdShield and Acrobat are normal, but
if you see something that doesn't make any sense, try disabling it and see
if that helps. Another excellent program for this same purpose is BHODemon,
(still free) here:
http://www.definitivesolutions.com/ or here:
http://www.spywareinfo.com/downloads/bhod/ I would recommend both. You can
also check/control BHO's using the Tools function of SpyBot S&D.
There's good information about hijacking and fixes available here:
Andrew Clover's parasite page:
http://www.doxdesk.com/parasite/ (Highly
recommended)
Robert Allen's parasite page:
http://allentech.net/parasite/index.phtml
(Highly recommended)
http://www.spywareinfo.com/hijacked.html
http://gmpservicesinc.com/Articles/hijack.asp (links here for .reg files to
lock and unlock your homepage, BTW. You can also use this program to toggle
locking/unlocking of your homepage:
http://www.dougknox.com/security/scripts/nosethomepage.vbs Recommended)
http://www.mvps.org/inetexplorer/answers.htm#home_page
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed for 1052 parasites (including KeenValue, BTW), and it
provides information and fixit-links for a variety of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.
See if any of this helps and post back with your results.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
Lucille said:
I've been hijacked by a toolbar called power search--eUniverse--Sir Search.
I've run SpyBot and AdAware which supposedly removed eUniverse but it's
back.
Can you help.
Lucille
Jim Byrd said:
Hi Barry - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:
Download and run:
http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093#appliesto
which blocks the exploit upon which this parasite family depends.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.
Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.
Another excellent program for this purpose is SpyBot Search and Destroy
available here:
http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
If they don't fix it then start here:
Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's updated
frequently.)
Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba
Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In