IE v6 "Use Default" Home Page Infected - HELP

cutu07 · Dec 20, 2003

Hello,

Eventhough Norton managed to quarantined the infected
files, the attempted attack somehow successfully buried a
file/program that changed my "Use Default" Home Page to
this crap "http://in.webcounter%
2e%63%63/%2d/?%79%64%74%66%73", and my "Use Current" Home
Page always reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, despite that I already changed it
to something else prior to reboot.

I'm not sure whether re-installing my IE will solve this
problem or not. I would highly appreciate anyone's
expertise in solving this problem. Thanks.

ps: Upon running Norton and Ad-Aware could not detect
presence of any viral infection or unwanted files.

Mike Burgess · Dec 20, 2003

cutu07,
That long URL decodes to: in.webcounter.cc
in.webcounter.cc = CWS.Tapicfg.2 (coolwebsearch trojan)

How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch

Note: this type hijack indicates an unpatched machine, that is lacking
in "Defense". Please visit Windows Update to avoid these exploits.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-15-03]
Please post replies to this Newsgroup, email address is invalid

cutu07 · Dec 20, 2003

Mike,

Thanks for your reply. I jst updated my Ad-Aware and upon
running it, managed to remove the alien file and restored
my "Use Default" Home Page to www.msn.com. And it stays
unchanged ever after reboot. However, the "Use Current"
Home Page still reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, and when I clicked on the "Use
Current" button, it changed
to "res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/offcancl.htm".
What does this mean? How do I access to a "res://"
directory? Is the "offcancl.htm" file the culprit?

Also, I went to this
site "http://www.mvps.org/winhelp2002/ietips.htm#Protecting
and downloaded both the HKCU_Hide_HomePage.reg and
HKLM_Hide_HomePage.reg files. However, ipon "merging" the
either file, a mssg appear saying that its not a registry
script. Do you know whats the problem there?

Appreciate your help again. Thanks.

cutu07

-----Original Message-----
cutu07,
That long URL decodes to: in.webcounter.cc
in.webcounter.cc = CWS.Tapicfg.2 (coolwebsearch trojan)

How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch

Note: this type hijack indicates an unpatched machine, that is lacking
in "Defense". Please visit Windows Update to avoid these exploits.

__________________________________________________________

Click to expand...

__
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-15- 03]
Please post replies to this Newsgroup, email address is invalid
--

Hello,

Eventhough Norton managed to quarantined the infected
files, the attempted attack somehow successfully buried a
file/program that changed my "Use Default" Home Page to
this crap "http://in.webcounte% 72%
2e%63%63/%2d/?%79%64%74%66%73", and my "Use Current" Home
Page always reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, despite that I already changed it
to something else prior to reboot.

I'm not sure whether re-installing my IE will solve this
problem or not. I would highly appreciate anyone's
expertise in solving this problem. Thanks.

ps: Upon running Norton and Ad-Aware could not detect
presence of any viral infection or unwanted files.

Click to expand...

.

Ramesh [MVP] · Dec 20, 2003

Have you tried CWShredder? It specializes in removing the CWS spyware and its variants.

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------

Mike,

Thanks for your reply. I jst updated my Ad-Aware and upon
running it, managed to remove the alien file and restored
my "Use Default" Home Page to www.msn.com. And it stays
unchanged ever after reboot. However, the "Use Current"
Home Page still reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, and when I clicked on the "Use
Current" button, it changed
to "res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/offcancl.htm".
What does this mean? How do I access to a "res://"
directory? Is the "offcancl.htm" file the culprit?

Also, I went to this
site "http://www.mvps.org/winhelp2002/ietips.htm#Protecting
and downloaded both the HKCU_Hide_HomePage.reg and
HKLM_Hide_HomePage.reg files. However, ipon "merging" the
either file, a mssg appear saying that its not a registry
script. Do you know whats the problem there?

Appreciate your help again. Thanks.

cutu07

-----Original Message-----
cutu07,
That long URL decodes to: in.webcounter.cc
in.webcounter.cc = CWS.Tapicfg.2 (coolwebsearch trojan)

How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch

Note: this type hijack indicates an unpatched machine, that is lacking
in "Defense". Please visit Windows Update to avoid these exploits.

__________________________________________________________

Click to expand...

__
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-15- 03]
Please post replies to this Newsgroup, email address is invalid
--

Hello,

Eventhough Norton managed to quarantined the infected
files, the attempted attack somehow successfully buried a
file/program that changed my "Use Default" Home Page to
this crap "http://in.webcounte% 72%
2e%63%63/%2d/?%79%64%74%66%73", and my "Use Current" Home
Page always reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, despite that I already changed it
to something else prior to reboot.

I'm not sure whether re-installing my IE will solve this
problem or not. I would highly appreciate anyone's
expertise in solving this problem. Thanks.

ps: Upon running Norton and Ad-Aware could not detect
presence of any viral infection or unwanted files.

Click to expand...

.

rufus echols · Dec 20, 2003

no, uninstalling want solve it because you have a spyware
secretly installed on your computer. Go to the site
below to find out more and to get a fix to correct this.
http://mvps.org/win2002help/unwanted.htm

Mike Burgess · Dec 20, 2003

cutu07,
Did you run CWShredder as suggested "before" running Ad-Aware?
If not ... go back and do that, then run Ad-Aware again, if the problem
still exists, post a HijackThis log on Lavasoft's Forum.

"Do you know whats the problem there?"

Yup, those reg files are for XP, oops! ... I'll change that later today,
sorry.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-19-03]
Please post replies to this Newsgroup, email address is invalid
--

cutu07 said:
Mike,

Thanks for your reply. I jst updated my Ad-Aware and upon
running it, managed to remove the alien file and restored
my "Use Default" Home Page to www.msn.com. And it stays
unchanged ever after reboot. However, the "Use Current"
Home Page still reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, and when I clicked on the "Use
Current" button, it changed
to "res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/offcancl.htm".
What does this mean? How do I access to a "res://"
directory? Is the "offcancl.htm" file the culprit?

Also, I went to this
site "http://www.mvps.org/winhelp2002/ietips.htm#Protecting
and downloaded both the HKCU_Hide_HomePage.reg and
HKLM_Hide_HomePage.reg files. However, ipon "merging" the
either file, a mssg appear saying that its not a registry
script. Do you know whats the problem there?

Appreciate your help again. Thanks.

cutu07

-----Original Message-----
cutu07,
That long URL decodes to: in.webcounter.cc
in.webcounter.cc = CWS.Tapicfg.2 (coolwebsearch trojan)

How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch

Note: this type hijack indicates an unpatched machine, that is lacking
in "Defense". Please visit Windows Update to avoid these exploits.

__________________________________________________________

Click to expand...

__
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-15- 03]
Please post replies to this Newsgroup, email address is invalid
--

Hello,

Eventhough Norton managed to quarantined the infected
files, the attempted attack somehow successfully buried a
file/program that changed my "Use Default" Home Page to
this crap "http://in.webcounte% 72%
2e%63%63/%2d/?%79%64%74%66%73", and my "Use Current" Home
Page always reset to "http://t.rack.cc/h.php?aid=35"
everytime after reboot, despite that I already changed it
to something else prior to reboot.

I'm not sure whether re-installing my IE will solve this
problem or not. I would highly appreciate anyone's
expertise in solving this problem. Thanks.

ps: Upon running Norton and Ad-Aware could not detect
presence of any viral infection or unwanted files.

Click to expand...

.

Click to expand...

Default Home Page	1	Feb 16, 2004
Default Home Page	3	Oct 6, 2003
IE default home page problem	4	Sep 24, 2003
Homepage	1	Apr 10, 2004
IE Home page	2	Apr 21, 2004
home page changing	3	Feb 10, 2004
IE home page keeps resetting	3	Apr 4, 2004
changing default page problem	3	Jan 3, 2004

IE v6 "Use Default" Home Page Infected - HELP

cutu07

Mike Burgess

cutu07

Ramesh [MVP]

rufus echols

Mike Burgess

Ask a Question

Similar Threads