Hi Lucrose - Not a trivial process - these are very difficult CWS parasite
variants to remove. Depending upon the amount of re-installation and/or
data saving/restoration you need to do and the variant/difficulty of
cleaning, a re-install of the OS may often be a better choice than cleaning.
If you want to try and clean your machine, then read ALL of this carefully
to begin with, then:
A good general "malware" removal site FAQ's with pretty good step-by-step
instructions is available for review here:
http://www.spywarenation.com/modules.php?name=FAQ
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:
http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here:
http://www.spychecker.com/program/winsockxpfix.html
Directions here:
http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command netsh winsock reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:
netsh int reset all
ipconfig /flushdns
See also:
http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here:
http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page:
http://vil.nai.com/vil/stinger/ ME/XP users be sure to read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest released
pattern file, here:
http://www.trendmicro.com/download/pattern.asp Be sure
to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
(You might also want to get Art's updater, SYS-UP.Zip, here for future
updating of these:
http://home.epix.net/~artnpeg/). The updater files plus a
short tutorial on using them and SysClean are also available in one package
here:
http://www.ik-cs.com/Programs/virtools/SYSCLEAN UTILITY.exe (If you
download and use the updater from the beginning, it will automatically
handle downloading the other files.)
NOTE: You can get a somewhat more current interim pattern file, the
Controlled Pattern Release, here and manually unzip it to your SysClean
folder:
http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp
(Sorry, but the Updater won't get this one for you.) Look for the lptxxx.zip
file after you agree to the terms.
Place them in a dedicated folder after appropriate unzipping.
Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take.
Then boot to Safe mode or a Clean Boot as above (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system and
clean or delete anything it finds.
Reboot and re-run SysClean and continue this procedure until you get a clean
scan or nothing further can be cleaned/removed.
Now reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the free or trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above
<PRIMARY REMOVAL PROCEDURES>
The most common variant which the normal removal tools can't handle is a
form of "persistent BHO" which when removed, just returns due to a 'hidden'
registry entry. If this is your case . . . .
.. . . . then, READ CAREFULLY and then apply the four steps exactly using the
scripts and programs described here:
http://www.silentrunners.org/sr_cwsremoval.html IMPORTANT - Before you
start, be sure to clear all TIF and Temp files/folders and log on as an
Administrator. You might also want to look at the procedure here:
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
</PRIMARY REMOVAL PROCEDURES>
If that doesn't fix it, then try About:Blank Specific and then Basic
Cleaning, below FIRST and then ONLY IF NECESSARY Approach 1 and/or Approach
2 and/or Approach 3 and/or Approach 4 and/or Approach 5. Test after
applying each fix.
******** Please post back with your results in detail if possible - what
you tried, what happened, how you ended up - so that we'll know better what
to advise others. ********
Approach 1 - If your hijacker is Home Search Assistant or one of these:
- Only The Best
- Home Search Extender
- Shopping Wizard
- res://****.dll/index.html#***** (or simply res .dll)
first see here:
http://www.short-media.com/forum/showthread.php?p=172774#post172774, and
here:
http://www.pchell.com/support/onlythebest.shtml. Then you can try AT
YOUR OWN RISK, HSRemove, free, here:
http://www.hsremove.com/. "A few
days ago I got hijacked - Nothing new in that, except this time it was a
real [censored] to get rid of. - There were simply no tools available to
remove this "Home Search" thing. Finally I ended up creating my own tool for
it. USE IT AT YOUR OWN RISK. And if you find it helpful, then please do not
hesitate to make a contribution." Or, you can try AboutBuster, here, which
is also designed to remove Home Search Assistant:
http://www.malwarebytes.biz/
Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't advise
using a malware provider's uninstall, but this particular approach has been
reported to work ONLY IF you have the about:blank CWS variant (there appear
to be at least three or four currently) which leads you to a Search page.
Paste the following IP into your browser:
195.190.118.131
On the screen you arrive at, you see a "Search For" window, and below it a
red "Uninstall Software". Download their uninstaller, uninstall.exe. At this
point I would either use TotalUninstall or make a complete backup/Restore
Point of my system for safety's sake (on the basis of "at least keep what
you've got"). Total Uninstall,
http://www.geocities.com/ggmartau/tu.html or
direct dwnld here:
http://files.webattack.com/localdl834/tun234.zip
Run this uninstall program that you downloaded from the malware site, then
UPDATE them and go to Safe mode to run UPDATED versions CWShredder, AdAware
and SpyBot per the directions in Basic, below.
Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk
"I had a variant of this CWS.SearchX sucker for about 3 weeks, and I FINALLY
seem to be rid of it for good! It is aka Troj_StartPage.sp and
BackDoor.Agent.BA. This is what I did:
1. Run Regedit, and DELETE the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
The value of this key may look blank for you, but it is not. They hide the
value so you can't see it. This registry key tells Windows to load the
Trojan DLL every time ANY application is run giving it complete control to
do whatever it wants. So you need to remove it so that the Trojan DLL cannot
load and keep re-infecting your PC. The way to remove the registry key is
not obvious. If you just delete it from RegEdit, since the Trojan DLL is
loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs
registry key and hit F5. Notice that it's added right back by the Trojan).
So what you have to do is the following which worked for me (many thanks to
"acomputerpro" at the SpywareInfo.com forums!)
2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
folder to Windows2.
3. Now delete the AppInit_DLLs key under the Windows2 folder.
4. Hit F5 and notice that AppInit_DLLs doesn't come back.
5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is
gone, run the latest AdAware 6 to remove the Trojan for good.
6. Reboot your machine, and check the registry and make sure AppInit_DLLs is
still gone.
Your computer should be free of this for good now. Hope it works for you...
It seemed to do the trick for me!"
Approach 4 - If you've already tried CWShredder to get rid of this parasite
(See below, v.159.0.1 or better and fully updated before use), then take a
look at this thread about manual removal of this parasite:
http://www.akadia.com/services/about_blank_virus.html
and this one:
http://www.daniweb.com/techtalkforums/thread5531.html
and this one:
http://computercops.biz/article-5199-nested-0-0.html
Some nice clean removal directions here:
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
Approach 5 - I don't usually recommend anything but freeware that I've
confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, here:
http://www.adwareaway.com/ claims to fix it automatically, and several users
now have reported success using it. I would backup my system before using
it, however - always try to "keep what you've got".
___________________________________
<About:Blank Specific Fixes>
About:Blank Specific fixes. Do the Basic Cleaning steps also after
finding one of these that works AND if none do:
Then try in order:
1) See the procedures here:
http://www.pchell.com/support/onlythebest.shtml
and especially here:
http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp and here:
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
Pest Patrol (free) claims to remove at least some of the about:blank
variants
2) Download AboutBuster, here:
http://www.malwarebytes.biz/AboutBuster.zip
or here:
http://www.majorgeeks.com/download4289.html Then, "First unzip all
files from the zip folder to a folder or your desktop. Start it and hit ok.
Then hit update. A new screen should popup. On that screen hit Check for
Updates. If it says it found an update hit Download Updates. If it doesnt it
will automatically tell you and exit. Now for the scanning part. Hit start
and then Ok. The program should start scanning. Then hit exit and reboot.
Once rebooted run About:Buster once more to make sure everything is ok.
The database will be updated very frequently so check your versions once a
day."
3) Download dllfix.exe and CWShredder from here:
http://www.renonce.com/pub/utils/dllfix.exe
and
http://209.133.47.200/~merijn/files/CWShredder.exe
or
http://www.zerosrealm.com/downloads/CWShredder.zip
or
http://downloads.subratam.org/CWShredder.exe
Unzip or install dllfix.exe to its own folder, run it and do options 1 and
2.
Now proceed with the Basic Cleaning steps, below.
4) It has been reported that the evaluation version of Panda Software's
Titanium Antivirus 2004, here:
http://www.pandasoftware.com/regist...&Ref=WW-TIT4-DES&Idioma=2&Country=Us&sec=down
will completely remove about:blank. I have not been able to independently
verify this yet, however, so this is AT YOUR OWN RISK. You'll have to give
them some information, and I expect you may want to uncheck some of the
"opt-in" boxes at the bottom just above and below the send button.
5. Courtesy of MVP Ron Kinner
"There is a German program called Spoonweg.exe which might
help.
http://lunatic-skydance.de/mr/soft/SpoonWeg.exe
It will start to download. Save it somewhere you can find
it again then Open it and say YES then Click on Trojaner-
Suchen. If it finds the version of about:blank that it is
meant to kill it will go and do it then reboot the PC.
Otherwise it will say Trojaner Spooner wird nicht gefunden.
Another German program is SpHjFix.exe.
http://www.trojaner-info.de/cgi-bin/download.cgi?
file=sphjfix
This one speaks English so just Press on Start Disinfection
If it doesn't find its target it will say Not Infected
across the top of the little window. Otherwise follow the
instructions.
Both of these probably run better in Safe Mode (F8 -
without Networking)"
</About:Blank Specific Fixes>
_____________________________
<Basic Cleaning>
Basic Cleaning - Note that this symptom often indicates the possibility of
other malware. You might want go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm or here:
http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
patient), while an analysis of a number of possible parasites on your
machine will be made to help you identify and remove them. NOTE: You will
need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad
Blocking software which interferes with Java Scripting for this scan to
work. You should get a message between the two lines of **** giving the
results of the scan.
For the general hijack case, the best way to start is to get Ad-Aware SE
Personal Edition, here:
http://www.lavasoftusa.com/support/download/.
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the directions immediately
below and run this regularly to get rid of most "spyware/hijackware" on your
machine. If it has to fix things, be sure to re-boot and rerun AdAware
again and repeat this cycle until you get a clean scan. The reason is that
it may have to remove things which are currently "in use" before it can then
clean up others. Configure Ad-aware for a customized scan, and let it
remove any bad files found.....
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of
http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click “Activate Cloak”. Than open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here:
http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial
here:
http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others. Note that
sometimes you need to make a judgement call about what these programs report
as spyware. See here, for example:
http://www.imilly.com/alexa.htmNote that
sometimes you need to make a judgment call about what these programs report
as spyware. See here, for example:
http://www.imilly.com/alexa.htm
A currently common parasite is some malware called CoolWebSearch. Do the
following:
Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cwshredder_download.html (The new v.2+
which will automatically install in C:\Program
Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the
Desktop. UPDATE and run the program from this install location or the
shortcut after installation. This recommendation for CWShredder is NOT
automatically a recommendation for the other programs adverstised by
Intermute in conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or here:
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/ (v.2+) to
remove the parasite. Try to run from Safe mode or a Clean Boot and be sure
to close ALL other programs to the extent possible, expecially ALL
instances of IE and OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain See
also:
http://cwshredder.net/cwshredder/cwschronicles.html
BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that
CWShredder may make deletions/changes to your HOSTS file (sometimes as false
positives) if you use your HOSTS file as a DNS cache rather than just for ad
blocking, and that after cleanup you may need to restore it with a fresh
copy of any local DNS and/or blocking entries or disable it before running
CWShredder.
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various functions:
HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
(WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
(WinME)
or
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (Both)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
Lastly, there are extensive, detailed instructions for manual removal of CWS
variants here:
http://www.pestpatrol.com/PestInfo/c/cws.asp You may want
to check these to be sure everything's been cleaned up.
When done, go to Start|Run and enter one line at a time (or even easier,
open a DOS box and copy the following in its entirety and then paste it into
the box):
regsvr32 hlink.dll
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.
Re-start your computer when you've finished.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
</Basic Cleaning>
Once you get this cleaned up, you might want to consider installing Eric
Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:
IESpyads -
https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here:
http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here:
http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here:
http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus installed, and bring your OS up-to-date with ALL Critical updates
from Windows Update.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
