HiJacked and can't get rid of it.

[SlimWhitman]

I started a post while back asking for help with an
unwanted home page. But it seems the problem is much
deeper I can't seem to enter a login/password for any site
except this one and it logs me on automaticly. Any other
site I try to log onto it just kicks me back to the
login/password screen. This means that even tho I have a
HiJackThis log I can't get anyone to analyze it. I've
found several entries into my registry but I don't know
how to fix this problem or how to find the program that is
installing it. It also redirects my homepage to some porn
site an won't allow usage of tha address bar at all. If
you try to manually type in an adress it reverts to the
default homepage they have hijacked me to.

 

[Don Varnau]

Try this...
From Control Panel> Internet Options> Advanced> uncheck "Enable third party
browser extensions." Does that allow you to login to any of the sites?

Have you been able to run CWShredder, Ad-aware and/or Spybot?
http://mvps.org/winhelp2002/unwanted.htm

Try the parasite scan at http://www.aumha.org/a/noads.htm

Post back to this thread if none of these suggestions help.

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


"SlimWhitman" wrote in message
news:[email protected]...

 

[Guest]

These are the steps I have taken so far...
I downloaded Ad-aware SpyBot and HiJackedThis
all of these detect the problem however none of them seem
to get rid of it.. I can't log into any forums that don't
automaticly log me in when I go to the page.. any
login/password does not work..(LET ME BE SPECIFIC) I have
tried many forums many logins and I have double and triple
checked.. I can't log onto any page that requires a
password.. If I click ok/enter it just makes me put the
login/pass over and over... At first I didn't realize this
was my browser or part of the parasite untill it was
determined that it happens on all the pages i visit that
require a login/pass and dont' log me in automaticly.
Originally I believed it was just redirecting my homepage
and messing with my addressbar/search features, this is
not the case. Now I have run the programs mentioned these
I was told to run in an earlier post about "Unwanted
Homepages" several times I have found that even if SpyBot
or Adaware removed them they come right back.. I posted
back and they informed me to get HiJackThis and where and
how to post the log file it creates for further
assistance. Here is where I've come to an empass.. I can't
post the log file with this parasite. have tried to get to
the site for CWShredder but for some reason it won't load
correctly.. I'm not sure why though. Please any help in
this would be appreciated.

 

[still slim]

I also have read several other posts here on same/similar
complaints and let me add that I've checked my cookies
settings and they are enabled I've cleared the
autocomplete histories for the login/password problem.

 

[still slim]

So that I'm clear on this.. I've also made sure that third
party extensions are unchecked I've cleared the auto-
complete histories I've made sure that cookies are enabled
I've run Ad-Aware, SpyBot, HiJackThis and I can't seem to
get to CWShredder page to d/l it. I have my HiJackThis log
file but I haven't been able to have anyone review it.
Spybot and Ad=aware say that I have a comon hijacker,
however both are unable to remove it. I've seen several of
the same references in the Log file for HiJackThis but I'm
neither qualified to read it properly nor make any actions
based on the findings. I'm unable to post these findings
to the pages that I was told to visit because of the
login/password problems.

 

[Don Varnau]

Slim,
I just saw your earlier post. You're being hijacked to nkvd.us, right?

See if you can download CWShredder from one of these sites:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
http://radiosplace.com/
http://computercops.biz/downloads-cat-14.html

Don

 

[Jim Byrd]

Hi Slim - Sounds like this might be a variant of some malware called
CoolWebSearch (if not, then see AdAware, SpyBot, and HijackThis, below). If
the links Don provided don't work then try the following using the IP link
for CWShredder, below.

Do the following:

Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

You will need to disable System Restore and then reboot your system
in order to clear the CWS garbage from the backups. After rebooting, then
re-enable System Restore.

The following link gives instructions on how to disable it:
http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=



Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[SlimWhitman]

Ok I was able to get a copy of CWShredder and ran it. if
said it found something and fixxed it just like SpyBot
however it didn't fix my problem. I'm still being HiJacked
and I'm still unable to use the adress bar, and I'm still
unable to use login/password protected sites. I've run
Ad=aware, SpyBot S&D, CWShredder, and HiJackThis and the
first 3 said they fixxed the problem and didn't.
HiJackThis I have no idea what i'm looking for in the log
file or how to use the information.

I've spoken to 2 other people that have been redirected to
the same site that I have been. They have both rebooted
thier entire system and are still going through this. So
I'm completely lost as to how to fix this. If I thought I
could just slam my system back to new to get rid of it I
would.. but this is doesn't seem to work either from what
they tell me.

BTW Off topic but isn't doing this to someone system
illegal or something ? Anyone with info on that I would
appreciate as well.

 

[Jim Byrd]

Hi Slim - I'll repeat the appropriate part of my previous post:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).


See if you can do this.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Slimwhitman]

Ok I just went and tried all of these sites as well.. I
can't post on any forum that makes me log in. Now I've
tried saying this before and everyone keeps giving me the
same information. I'm so frustrated I could scream this
problem has been going of for days and I see no end to
this circle. Everyone keeps skipping over the fact that
part of my problem is that my browser won't let me go onto
forums properly. This forum allows anyone to post without
logging in and hence I can post here.. and as far as I can
tell only here. Not that being said.

I Have run Ad=aware virus came right back
I Have run Spybot S&D virus came right back
I Have run CWShredder virus came right back
I Have run HiJackThis but I can't get help with the log
file and I've been given a bunch of websites to try
posting it on. All of them require me to use a login.

I'm sure there is some hidden file somewhere I just have
no idea how to find it.

-----Original Message-----
Hi Slim - I'll repeat the appropriate part of my previous post:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php? id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi- bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).


See if you can do this.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Ok I was able to get a copy of CWShredder and ran it. if
said it found something and fixxed it just like SpyBot
however it didn't fix my problem. I'm still being HiJacked
and I'm still unable to use the adress bar, and I'm still
unable to use login/password protected sites. I've run
Ad=aware, SpyBot S&D, CWShredder, and HiJackThis and the
first 3 said they fixxed the problem and didn't.
HiJackThis I have no idea what i'm looking for in the log
file or how to use the information.

I've spoken to 2 other people that have been redirected to
the same site that I have been. They have both rebooted
thier entire system and are still going through this. So
I'm completely lost as to how to fix this. If I thought I
could just slam my system back to new to get rid of it I
would.. but this is doesn't seem to work either from what
they tell me.

BTW Off topic but isn't doing this to someone system
illegal or something ? Anyone with info on that I would
appreciate as well.

-----Original Message-----
Slim,
I just saw your earlier post. You're being hijacked to nkvd.us, right?

See if you can download CWShredder from one of these sites:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
http://radiosplace.com/
http://computercops.biz/downloads-cat-14.html

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


<anonymous[at]discussions.microsoft.com> wrote in message
These are the steps I have taken so far...
I downloaded Ad-aware SpyBot and HiJackedThis
all of these detect the problem however none of them seem
to get rid of it.. I can't log into any forums that don't
automaticly log me in when I go to the page.. any
login/password does not work..(LET ME BE SPECIFIC) I have
tried many forums many logins and I have double and triple
checked.. I can't log onto any page that requires a
password.. If I click ok/enter it just makes me put the
login/pass over and over... At first I didn't realize this
was my browser or part of the parasite untill it was
determined that it happens on all the pages i visit that
require a login/pass and dont' log me in automaticly.
Originally I believed it was just redirecting my homepage
and messing with my addressbar/search features, this is
not the case. Now I have run the programs mentioned these
I was told to run in an earlier post about "Unwanted
Homepages" several times I have found that even if SpyBot
or Adaware removed them they come right back.. I posted
back and they informed me to get HiJackThis and where and
how to post the log file it creates for further
assistance. Here is where I've come to an empass.. I can't
post the log file with this parasite. have tried to get to
the site for CWShredder but for some reason it won't load
correctly.. I'm not sure why though. Please any help in
this would be appreciated.
-----Original Message-----
Try this...
From Control Panel> Internet Options> Advanced>

uncheck "Enable third
party
.

 

[H Leboeuf]

If you installed these patches then get 831167.

A security update was made available that modifies the default behavior of
Internet Explorer for handling user information in HTTP and in HTTPS URLs
http://support.microsoft.com/?kbid=834489

If applicable.

Fix, if This problem occurs after you apply the 832894 security update
(MS04-004) or the 821814 hotfix.


http://support.microsoft.com/?kbid=831167
SYMPTOMS
Programs that use Wininet functions to post data (such as a user name or a
password) to a Web server retry the POST request with a blank header if the
Web server closes (or resets) the initial connection request.
--

Select Internet Explorer on this page for some clues.
http://www.colba.net/~hlebo49/password.htm

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
** NOTE NEW ADDRESS **
Pages at generation.net will no longer be updated.
===

 

[Jim Byrd]

Hi Slim - Since you can't get into the normal fora, post your HiJackThis
logs (with an explanation as to why you're doing so) in the
alt.privacy.spyware newsgroup and ask for assistance there.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Ok I just went and tried all of these sites as well.. I
can't post on any forum that makes me log in. Now I've
tried saying this before and everyone keeps giving me the
same information. I'm so frustrated I could scream this
problem has been going of for days and I see no end to
this circle. Everyone keeps skipping over the fact that
part of my problem is that my browser won't let me go onto
forums properly. This forum allows anyone to post without
logging in and hence I can post here.. and as far as I can
tell only here. Not that being said.

I Have run Ad=aware virus came right back
I Have run Spybot S&D virus came right back
I Have run CWShredder virus came right back
I Have run HiJackThis but I can't get help with the log
file and I've been given a bunch of websites to try
posting it on. All of them require me to use a login.

I'm sure there is some hidden file somewhere I just have
no idea how to find it.

-----Original Message-----
Hi Slim - I'll repeat the appropriate part of my previous post:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi- bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).


See if you can do this.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Ok I was able to get a copy of CWShredder and ran it. if
said it found something and fixxed it just like SpyBot
however it didn't fix my problem. I'm still being HiJacked
and I'm still unable to use the adress bar, and I'm still
unable to use login/password protected sites. I've run
Ad=aware, SpyBot S&D, CWShredder, and HiJackThis and the
first 3 said they fixxed the problem and didn't.
HiJackThis I have no idea what i'm looking for in the log
file or how to use the information.

I've spoken to 2 other people that have been redirected to
the same site that I have been. They have both rebooted
thier entire system and are still going through this. So
I'm completely lost as to how to fix this. If I thought I
could just slam my system back to new to get rid of it I
would.. but this is doesn't seem to work either from what
they tell me.

BTW Off topic but isn't doing this to someone system
illegal or something ? Anyone with info on that I would
appreciate as well.

-----Original Message-----
Slim,
I just saw your earlier post. You're being hijacked to nkvd.us, right?

See if you can download CWShredder from one of these sites:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
http://radiosplace.com/
http://computercops.biz/downloads-cat-14.html

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


<anonymous[at]discussions.microsoft.com> wrote in message
These are the steps I have taken so far...
I downloaded Ad-aware SpyBot and HiJackedThis
all of these detect the problem however none of them seem
to get rid of it.. I can't log into any forums that don't
automaticly log me in when I go to the page.. any
login/password does not work..(LET ME BE SPECIFIC) I have
tried many forums many logins and I have double and triple
checked.. I can't log onto any page that requires a
password.. If I click ok/enter it just makes me put the
login/pass over and over... At first I didn't realize this
was my browser or part of the parasite untill it was
determined that it happens on all the pages i visit that
require a login/pass and dont' log me in automaticly.
Originally I believed it was just redirecting my homepage
and messing with my addressbar/search features, this is
not the case. Now I have run the programs mentioned these
I was told to run in an earlier post about "Unwanted
Homepages" several times I have found that even if SpyBot
or Adaware removed them they come right back.. I posted
back and they informed me to get HiJackThis and where and
how to post the log file it creates for further
assistance. Here is where I've come to an empass.. I can't
post the log file with this parasite. have tried to get to
the site for CWShredder but for some reason it won't load
correctly.. I'm not sure why though. Please any help in
this would be appreciated.
-----Original Message-----
Try this...
From Control Panel> Internet Options> Advanced> uncheck "Enable third party
browser extensions." Does that allow you to login to any of the sites?

Have you been able to run CWShredder, Ad-aware and/or Spybot?
http://mvps.org/winhelp2002/unwanted.htm

Try the parasite scan at http://www.aumha.org/a/noads.htm

Post back to this thread if none of these suggestions help.

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


"SlimWhitman" wrote in message
I started a post while back asking for help with an
unwanted home page. But it seems the problem is much
deeper I can't seem to enter a login/password for any site
except this one and it logs me on automaticly. Any other
site I try to log onto it just kicks me back to the
login/password screen. This means that even tho I have a
HiJackThis log I can't get anyone to analyze it. I've
found several entries into my registry but I don't know
how to fix this problem or how to find the program that is
installing it. It also redirects my homepage to some porn
site an won't allow usage of tha address bar at all. If
you try to manually type in an adress it reverts to the
default homepage they have hijacked me to.

.


.

.

 

[Slim]

Thanks for you help Jim but I'm afraid that I don't know
what you mean.. is that alt.privacy.spyware a website, if
so can you give me the exact location if I use the search
features I'll get redirected.

-----Original Message-----
Hi Slim - Since you can't get into the normal fora, post your HiJackThis
logs (with an explanation as to why you're doing so) in the
alt.privacy.spyware newsgroup and ask for assistance there.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Ok I just went and tried all of these sites as well.. I
can't post on any forum that makes me log in. Now I've
tried saying this before and everyone keeps giving me the
same information. I'm so frustrated I could scream this
problem has been going of for days and I see no end to
this circle. Everyone keeps skipping over the fact that
part of my problem is that my browser won't let me go onto
forums properly. This forum allows anyone to post without
logging in and hence I can post here.. and as far as I can
tell only here. Not that being said.

I Have run Ad=aware virus came right back
I Have run Spybot S&D virus came right back
I Have run CWShredder virus came right back
I Have run HiJackThis but I can't get help with the log
file and I've been given a bunch of websites to try
posting it on. All of them require me to use a login.

I'm sure there is some hidden file somewhere I just have
no idea how to find it.

-----Original Message-----
Hi Slim - I'll repeat the appropriate part of my previous post:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's

UPDATED

frequently.)

hijackthis.log. Now click
the StartupList.log

which

instructions for the
removal

of your parasite(s).


See if you can do this.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In SlimWhitman <[email protected]> typed:
Ok I was able to get a copy of CWShredder and ran it. if
said it found something and fixxed it just like SpyBot
however it didn't fix my problem. I'm still being HiJacked
and I'm still unable to use the adress bar, and I'm still
unable to use login/password protected sites. I've run
Ad=aware, SpyBot S&D, CWShredder, and HiJackThis and the
first 3 said they fixxed the problem and didn't.
HiJackThis I have no idea what i'm looking for in the log
file or how to use the information.

I've spoken to 2 other people that have been redirected to
the same site that I have been. They have both rebooted
thier entire system and are still going through this. So
I'm completely lost as to how to fix this. If I thought I
could just slam my system back to new to get rid of it I
would.. but this is doesn't seem to work either from what
they tell me.

BTW Off topic but isn't doing this to someone system
illegal or something ? Anyone with info on that I would
appreciate as well.

-----Original Message-----
Slim,
I just saw your earlier post. You're being hijacked to nkvd.us, right?

See if you can download CWShredder from one of these sites:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
http://radiosplace.com/
http://computercops.biz/downloads-cat-14.html

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


<anonymous[at]discussions.microsoft.com> wrote in message
These are the steps I have taken so far...
I downloaded Ad-aware SpyBot and HiJackedThis
all of these detect the problem however none of them seem
to get rid of it.. I can't log into any forums that don't
automaticly log me in when I go to the page.. any
login/password does not work..(LET ME BE SPECIFIC) I have
tried many forums many logins and I have double and triple
checked.. I can't log onto any page that requires a
password.. If I click ok/enter it just makes me put the
login/pass over and over... At first I didn't realize this
was my browser or part of the parasite untill it was
determined that it happens on all the pages i visit that
require a login/pass and dont' log me in automaticly.
Originally I believed it was just redirecting my homepage
and messing with my addressbar/search features, this is
not the case. Now I have run the programs mentioned these
I was told to run in an earlier post about "Unwanted
Homepages" several times I have found that even if SpyBot
or Adaware removed them they come right back.. I posted
back and they informed me to get HiJackThis and where and
how to post the log file it creates for further
assistance. Here is where I've come to an empass.. I can't
post the log file with this parasite. have tried to get to
the site for CWShredder but for some reason it won't load
correctly.. I'm not sure why though. Please any help in
this would be appreciated.
-----Original Message-----
Try this...
From Control Panel> Internet Options> Advanced>

uncheck "Enable third
party to any of the
sites?
.

 

[Don Varnau]

Slim,
Copy + paste your HijackThis log into a message and send it to me at
don_04[at]varnau[dot]org (Make the obvious changes to that address)

Don

 

[Don Varnau]

Has this been brought up? From Internet Options> Privacy, are you allowing
all cookies? That could be causing the login problem. Are you running any
programs which might be blocking cookies?

Don

 

[Jim Byrd]

Hi Slim - Sorry, I wasn't explicit enough. That's a newsgroup. You can
probably subscribe to it through your ISP's news server.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Thanks for you help Jim but I'm afraid that I don't know
what you mean.. is that alt.privacy.spyware a website, if
so can you give me the exact location if I use the search
features I'll get redirected.

-----Original Message-----
Hi Slim - Since you can't get into the normal fora, post your HiJackThis
logs (with an explanation as to why you're doing so) in the
alt.privacy.spyware newsgroup and ask for assistance there.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Ok I just went and tried all of these sites as well.. I
can't post on any forum that makes me log in. Now I've
tried saying this before and everyone keeps giving me the
same information. I'm so frustrated I could scream this
problem has been going of for days and I see no end to
this circle. Everyone keeps skipping over the fact that
part of my problem is that my browser won't let me go onto
forums properly. This forum allows anyone to post without
logging in and hence I can post here.. and as far as I can
tell only here. Not that being said.

I Have run Ad=aware virus came right back
I Have run Spybot S&D virus came right back
I Have run CWShredder virus came right back
I Have run HiJackThis but I can't get help with the log
file and I've been given a bunch of websites to try
posting it on. All of them require me to use a login.

I'm sure there is some hidden file somewhere I just have
no idea how to find it.




-----Original Message-----
Hi Slim - I'll repeat the appropriate part of my previous post:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).


See if you can do this.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In SlimWhitman <[email protected]> typed:
Ok I was able to get a copy of CWShredder and ran it. if
said it found something and fixxed it just like SpyBot
however it didn't fix my problem. I'm still being HiJacked
and I'm still unable to use the adress bar, and I'm still
unable to use login/password protected sites. I've run
Ad=aware, SpyBot S&D, CWShredder, and HiJackThis and the
first 3 said they fixxed the problem and didn't.
HiJackThis I have no idea what i'm looking for in the log
file or how to use the information.

I've spoken to 2 other people that have been redirected to
the same site that I have been. They have both rebooted
thier entire system and are still going through this. So
I'm completely lost as to how to fix this. If I thought I
could just slam my system back to new to get rid of it I
would.. but this is doesn't seem to work either from what
they tell me.

BTW Off topic but isn't doing this to someone system
illegal or something ? Anyone with info on that I would
appreciate as well.

-----Original Message-----
Slim,
I just saw your earlier post. You're being hijacked to nkvd.us, right?

See if you can download CWShredder from one of these sites:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
http://radiosplace.com/
http://computercops.biz/downloads-cat-14.html

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


<anonymous[at]discussions.microsoft.com> wrote in message
These are the steps I have taken so far...
I downloaded Ad-aware SpyBot and HiJackedThis
all of these detect the problem however none of them seem
to get rid of it.. I can't log into any forums that don't
automaticly log me in when I go to the page.. any
login/password does not work..(LET ME BE SPECIFIC) I have
tried many forums many logins and I have double and triple
checked.. I can't log onto any page that requires a
password.. If I click ok/enter it just makes me put the
login/pass over and over... At first I didn't realize this
was my browser or part of the parasite untill it was
determined that it happens on all the pages i visit that
require a login/pass and dont' log me in automaticly.
Originally I believed it was just redirecting my homepage
and messing with my addressbar/search features, this is
not the case. Now I have run the programs mentioned these
I was told to run in an earlier post about "Unwanted
Homepages" several times I have found that even if SpyBot
or Adaware removed them they come right back.. I posted
back and they informed me to get HiJackThis and where and
how to post the log file it creates for further
assistance. Here is where I've come to an empass.. I can't
post the log file with this parasite. have tried to get to
the site for CWShredder but for some reason it won't load
correctly.. I'm not sure why though. Please any help in
this would be appreciated.
-----Original Message-----
Try this...
From Control Panel> Internet Options> Advanced> uncheck "Enable third party
browser extensions." Does that allow you to login to any of the sites?

Have you been able to run CWShredder, Ad-aware and/or Spybot?
http://mvps.org/winhelp2002/unwanted.htm

Try the parasite scan at http://www.aumha.org/a/noads.htm

Post back to this thread if none of these suggestions help.

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.


"SlimWhitman" wrote in message
I started a post while back asking for help with an
unwanted home page. But it seems the problem is much
deeper I can't seem to enter a login/password for any site
except this one and it logs me on automaticly. Any other
site I try to log onto it just kicks me back to the
login/password screen. This means that even tho I have a
HiJackThis log I can't get anyone to analyze it. I've
found several entries into my registry but I don't know
how to fix this problem or how to find the program that is
installing it. It also redirects my homepage to some porn
site an won't allow usage of tha address bar at all. If
you try to manually type in an adress it reverts to the
default homepage they have hijacked me to.

.


.

.

.

 

[Slim Whitman]

Thanks everyone for you help
I was able to get help with my HiJackThis log and get rid
of the virus I believe. While I was working on this I read
some pages that explained how I could better protect
myself. If you could direct me once again to a few of
those sites it would be great.

-----Original Message-----
Slim,
Copy + paste your HijackThis log into a message and send it to me at
don_04[at]varnau[dot]org (Make the obvious changes to that address)

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.

Thanks for you help Jim but I'm afraid that I don't know
what you mean.. is that alt.privacy.spyware a website, if
so can you give me the exact location if I use the search
features I'll get redirected.

post
your HiJackThis assistance
there.

.

 

[Jim Byrd]

Hi Slim - Glad you got it cleaned up. If you want to take steps to defend
your machine, there are a number of things which need to be considered. I
would suggest the following:

The minimum necessary to start with are a good hardware or software firewall
and an AV.

For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
UPDATE and run this regularly to get rid of most "spyware/hijackware" on
your machine. If it has to fix things, be sure to re-boot and rerun
AdAware again and repeat this cycle until you get a clean scan. The reason
is that it may have to remove things which are currently "in use" before it
can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm


Next, courtesy of Mike Burgess:

"--Recommended Minimum Security Settings--

Close all instances of IE and OE
Control Panel | Internet Options

Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt

Click on the "Content" tab
Click the "Publishers" button

Highlight and click "Remove" any unknowns, click Ok

Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok

Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/"


Note the Publisher setting - this vector is often overlooked.


Then, from me:

You might want to consider installing the SpywareBlaster and SpywareGuard
here to help prevent this kind of thing from happening in the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running (887 parasites
as of this date) if it is already installed, and it provides information and
fixit-links for a variety of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts
to install malware) Keep it UPDATED. Both Very Highly Recommended.


Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension)


Lastly, with regards to cookies: Courtesy of Mel's Spyware Tools, here:
http://homepage.cooketech.net/~cybermel/Mel's Spyware Tools and Ad Blockers.html

XML-Menu for IE6 - (http://www.staff.uiuc.edu/~ehowes/main.htm, click on IE6
Tools on website) "This package contains a full menu of custom Import XML
files that can be used to manipulate IE6's handling of cookies in the
Internet and Trusted zones (the Privacy tab controls only the Internet
zone). The files are divided into three sets: one "short list" of
recommended files, and two "advanced" lists containing a wide range of
possible Privacy configurations. The ReadMe covers the basics of using
custom XML Import files and details all the files that are available. A
..REG file that can be used to restore the default Privacy tab settings is
included."

This is the technique that I use and, while I do very infrequently have to
override on some sites that don't have a Privacy Policy in place, I've found
it almost infallible in stopping bad cookies (I use 1-e, BTW) FWIW, Eric
Howes site, above, is one of the very best on the net with regard to
anything having to do with security. Very Highly Recommended.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

Thanks everyone for you help
I was able to get help with my HiJackThis log and get rid
of the virus I believe. While I was working on this I read
some pages that explained how I could better protect
myself. If you could direct me once again to a few of
those sites it would be great.

-----Original Message-----
Slim,
Copy + paste your HijackThis log into a message and send it to me at
don_04[at]varnau[dot]org (Make the obvious changes to that address)

Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.

Thanks for you help Jim but I'm afraid that I don't know
what you mean.. is that alt.privacy.spyware a website, if
so can you give me the exact location if I use the search
features I'll get redirected.

-----Original Message-----
Hi Slim - Since you can't get into the normal fora, post your HiJackThis
logs (with an explanation as to why you're doing so) in the
alt.privacy.spyware newsgroup and ask for assistance there.

.