Address Bar Search - The page cannot be displayed

[Tex Hemke]

When I type in a word like "Shaw" (without the quotes) IE
6 allows me to select Search for "Shaw" and when I do
this I get the error message "The page cannot be
displayed" and at the bottom of the page it show "Cannot
find server or DNS error" Internet Explorer. This is the
link displayed in the Address Bar: http:///? Search%
20Shaw. Now if I click on the Search in the Buttons Bar
and bring up the left pane, I can type in "Shaw" in the
box to search MSN and it works. How do I get this to work
using the Address Bar Search? Please advise.... Thanks...

 

[Jim Byrd]

Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[N]

[Jumping in...apologies for intrusion...]

Thanks for that - I had removed CWS previously, but that reg download fixed
the remaining problems with the search settings.

What I can't understand, though, is that I have up to date Norton antivirus
software, run Windows (XP) update regularly, and have cautious security
settings in IE, so how is it that CWS still managed to worm its way onto my
system over the past few weeks - did I slip up somewhere?

Thanks for insights
N

Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

When I type in a word like "Shaw" (without the quotes) IE
6 allows me to select Search for "Shaw" and when I do
this I get the error message "The page cannot be
displayed" and at the bottom of the page it show "Cannot
find server or DNS error" Internet Explorer. This is the
link displayed in the Address Bar: http:///? Search%
20Shaw. Now if I click on the Search in the Buttons Bar
and bring up the left pane, I can type in "Shaw" in the
box to search MSN and it works. How do I get this to work
using the Address Bar Search? Please advise.... Thanks...

 

[Tex Hemke]

Hi Jim;

Thanks, I followed the instructions you gave to restore
your search functions by downloading and running the
http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG All works fine
now....

-----Original Message-----
Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run:

http://www.merijn.org/files/cwshredder.zip to remove the

parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-

xp.com/regs_edits/RestoreSearch2.REG to restore

your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-

bin/forums/ikonboard.cgi. I recommend

using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php? s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi- bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php? act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit- links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

When I type in a word like "Shaw" (without the quotes) IE
6 allows me to select Search for "Shaw" and when I do
this I get the error message "The page cannot be
displayed" and at the bottom of the page it show "Cannot
find server or DNS error" Internet Explorer. This is the
link displayed in the Address Bar: http:///? Search%
20Shaw. Now if I click on the Search in the Buttons Bar
and bring up the left pane, I can type in "Shaw" in the
box to search MSN and it works. How do I get this to work
using the Address Bar Search? Please advise....

Thanks...


.

 

[Jim Byrd]

YW, Tex - glad you got it fixed.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Hi Jim;

Thanks, I followed the instructions you gave to restore
your search functions by downloading and running the
http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG All works fine
now....

-----Original Message-----
Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner- xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-

bin/forums/ikonboard.cgi. I recommend

using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?
s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi- bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?
act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit- links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

When I type in a word like "Shaw" (without the quotes) IE
6 allows me to select Search for "Shaw" and when I do
this I get the error message "The page cannot be
displayed" and at the bottom of the page it show "Cannot
find server or DNS error" Internet Explorer. This is the
link displayed in the Address Bar: http:///? Search%
20Shaw. Now if I click on the Search in the Buttons Bar
and bring up the left pane, I can type in "Shaw" in the
box to search MSN and it works. How do I get this to work
using the Address Bar Search? Please advise.... Thanks...

.

 

[Jim Byrd]

Hi N. - Most AV software does a relatively poor job with respect to
Ad/Malware. You need specialized tools like AdAware and SpyBot S&D UPDATED
and run regularly. In addition, I would recommend installing SpywareBlaster
and SpywareGuard, per my last post to help prevent infection by these
parasites. With regard to CoolWebSearch - be sure that you also download
and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093

which blocks the exploit upon which this parasite family depends.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

[Jumping in...apologies for intrusion...]

Thanks for that - I had removed CWS previously, but that reg download fixed
the remaining problems with the search settings.

What I can't understand, though, is that I have up to date Norton antivirus
software, run Windows (XP) update regularly, and have cautious security
settings in IE, so how is it that CWS still managed to worm its way onto my
system over the past few weeks - did I slip up somewhere?

Thanks for insights
N

Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you

get

a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:

http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:

http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:

http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[N]

Thanks for that, Jim

I did a little (quite literally!) reading into this update recently, and
thought that it applied only to machines running Microsoft VM, whereas my
understand was that I had been running the Sun version, rather than the MS
one. (In the advanced Internet options section of IE6, it lists - under
Java (Sun) - 'Use Java2 v.1.4.1_03 for <applet>', but there's no entry under
'Microsoft VM'.)

I also thought I had read that the vulnerability was on MS VM machines, so
that's another thing that confused me a little, as I downloaded the Sun one
some time last year.

Perhaps you can shed some more light on it for me! I.e ...
1. Am I indeed running the Sun version?
2. Am I still vulnerable?
3. Does that hotfix still apply to me? And
4. (General) Why wasn't that hotfix included in a routine Windows Update?!

Thanks again!
N

PS. Yes, I wasn't relying on Norton to provide any protection here, but had
thought that running Windows Updates regularly would plug most holes. More
fool me!

Hi N. - Most AV software does a relatively poor job with respect to
Ad/Malware. You need specialized tools like AdAware and SpyBot S&D UPDATED
and run regularly. In addition, I would recommend installing SpywareBlaster
and SpywareGuard, per my last post to help prevent infection by these
parasites. With regard to CoolWebSearch - be sure that you also download
and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093

which blocks the exploit upon which this parasite family depends.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

[Jumping in...apologies for intrusion...]

Thanks for that - I had removed CWS previously, but that reg download fixed
the remaining problems with the search settings.

What I can't understand, though, is that I have up to date Norton antivirus
software, run Windows (XP) update regularly, and have cautious security
settings in IE, so how is it that CWS still managed to worm its way onto my
system over the past few weeks - did I slip up somewhere?

Thanks for insights
N

Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you

get

a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always

download
a

new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:

http://www.spywareinfo.com/forums/i...f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

 

[Jim Byrd]

Hi N - You're correct - that exploit is in the MS VM. However, since you
said that you'd run and cleaned up some things using CWShredder, I assumed
that that's what you have installed. From what you've just stated, I would
now assume that all you have installed is the Sun VM. Howeve, let's see
just where you stand. Open a Cmd window and type jview followed by a
Return. The first line will tell you the version of the MS VM that you
have installed, if any.

You can test whether Java is working on your machine at the following
sites:

http://www.pocoso.de/pocoso052.html
http://www.clan.lib.ri.us/clan/javatest.html
http://www.fitwise.com/testjava.asp (both 1.0 and 1.1 and what's
installed)
http://coglab.wadsworth.com/support/browsercheck.html
http://www.ces.clemson.edu/webct/browser_detect.html

and you can test Javascript here:
http://www.dancespots.net/browsertest.htm

and check whether you have the MS VM installed and which version here:
http://www.visualware.com/personal/support/index.html#java


You can go ahead and try to install the 816093 hotfix - it won't do any harm
and won't install if the MS VM isn't present (IIRC) or you have already
installed a later Service Pack that already fixes it (such as SP4 in Win2k).


I would suggest, at this point, that you download and install the latest
version of HiJackThis and follow the procedure I outlined in my previous
post to post to one of the fora for additional help.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Thanks for that, Jim

I did a little (quite literally!) reading into this update recently, and
thought that it applied only to machines running Microsoft VM, whereas my
understand was that I had been running the Sun version, rather than the MS
one. (In the advanced Internet options section of IE6, it lists - under
Java (Sun) - 'Use Java2 v.1.4.1_03 for <applet>', but there's no entry under
'Microsoft VM'.)

I also thought I had read that the vulnerability was on MS VM machines, so
that's another thing that confused me a little, as I downloaded the Sun one
some time last year.

Perhaps you can shed some more light on it for me! I.e ...
1. Am I indeed running the Sun version?
2. Am I still vulnerable?
3. Does that hotfix still apply to me? And
4. (General) Why wasn't that hotfix included in a routine Windows Update?!

Thanks again!
N

PS. Yes, I wasn't relying on Norton to provide any protection here, but had
thought that running Windows Updates regularly would plug most holes. More
fool me!

Hi N. - Most AV software does a relatively poor job with respect to
Ad/Malware. You need specialized tools like AdAware and SpyBot S&D UPDATED
and run regularly. In addition, I would recommend installing SpywareBlaster
and SpywareGuard, per my last post to help prevent infection by these
parasites. With regard to CoolWebSearch - be sure that you also download
and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093

which blocks the exploit upon which this parasite family depends.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

[Jumping in...apologies for intrusion...]

Thanks for that - I had removed CWS previously, but that reg download fixed
the remaining problems with the search settings.

What I can't understand, though, is that I have up to date Norton antivirus
software, run Windows (XP) update regularly, and have cautious security
settings in IE, so how is it that CWS still managed to worm its way onto my
system over the past few weeks - did I slip up somewhere?

Thanks for insights
N


Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an
analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message
between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this
regularly
to get rid of most "spyware/hijackware" on your machine. If it has to
fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:

http://www.spywareinfo.com/forums/i...f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

 

[GN]

I read this with hope as I have the same problem. I went through all
of the instructions you laid out, but it did not cure my problem. I
still get http:///? Search test if if type the word test in the
address bar of IE6 in Windows XP.

As I see others with the same problem, I sure wish I / we could find
the fix.

GN

YW, Tex - glad you got it fixed.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Hi Jim;

Thanks, I followed the instructions you gave to restore
your search functions by downloading and running the
http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG All works fine
now....

-----Original Message-----
Hi Tex - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner- xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi- bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?
s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi- bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?
act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit- links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In Tex Hemke <[email protected]> typed:
When I type in a word like "Shaw" (without the quotes) IE
6 allows me to select Search for "Shaw" and when I do
this I get the error message "The page cannot be
displayed" and at the bottom of the page it show "Cannot
find server or DNS error" Internet Explorer. This is the
link displayed in the Address Bar: http:///? Search%
20Shaw. Now if I click on the Search in the Buttons Bar
and bring up the left pane, I can type in "Shaw" in the
box to search MSN and it works. How do I get this to work
using the Address Bar Search? Please advise.... Thanks...


.