J
JethroUK©
tried CWShredder & Adaware - it disappears for that day, only to reappear
next day
next day
J
Jan Il
Hey JethroUK© ! 
Try the following information. This just became available late yesterday.
Don't let the name AdAware fool you, it is not the same, in that there is
now this plug-in for AdAware to kill the latest variant. There are a few
others right below it that are also relatively new, and you can try them as
well. If these don't work for you post back and I'll dig into my 'Merijn's'
bag of tricks and see what I can find. ;-))
VX2 Variant Plug-In Cleaner - From Ad-Aware:
This VX2 variant registers itself in a way, which gives it system
privileges. It also prevents the user from viewing this information by
removing the user's rights to do so. Furthermore it constantly
monitors the registry and prevents any attempts to remove its
associated values. This makes it very difficult for the user to
manually remove it
Close Ad-Aware 6 build 181 and Ad-Watch (if running)
- Download the free VX2 Cleaner at
http://www.lavasoft.de/software/plugins/vx2cleaner.shtml
- Install the VX2 Cleaner
- Start Ad-Aware 6 build 181
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".
also..................
New CWS variant that hijacks you to res://<random>.dll/sp.html#96676.
Here are some other links which may shed some extra light:
http://forums.spywareinfo.com/index.php?showtopic=8847
http://forums.spywareinfo.com/index.php?showtopic=7447
http://forums.spywareinfo.com/index.php?showtopic=7261
http://forums.spywareinfo.com/index.php?showtopic=7281
How you know you have it : When you start up Internet Explorer it takes a
few seconds to load and in the address bar it starts with res://<Random
..dll>
Per Merijn - http://www.spywareinfo.com/~merijn/index.html
A solution is being worked on, see this thread on the SWI forums.
http://forums.spywareinfo.com/index.php?showtopic=7447
If it's not working for you, or it's too complicated, I heard from several
people that this workaround works as well:
Open the DLL you get hijacked to in Notepad
Select all content (Ctrl-A) and delete it
Save the file and exit Notepad
Find the file in Explorer, right-click it, select Properties, put a
checkmark in 'Read-Only' and click OK.
If you can't find the DLL file, make sure your settings allow you to view
"Hidden files". Open up any explorer windows and click on "Tools", "Folder
Options", "View" and be sure to check off "Show Hidden Files and Folders
also....................................
Newest Website Malware
What You Should Know About Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
and..................
About:Buster - There is also a removal tool and get it here.
http://tools.zerosrealm.com/AboutBuster.zip
Hope this helps.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Try the following information. This just became available late yesterday.
Don't let the name AdAware fool you, it is not the same, in that there is
now this plug-in for AdAware to kill the latest variant. There are a few
others right below it that are also relatively new, and you can try them as
well. If these don't work for you post back and I'll dig into my 'Merijn's'
bag of tricks and see what I can find. ;-))
VX2 Variant Plug-In Cleaner - From Ad-Aware:
This VX2 variant registers itself in a way, which gives it system
privileges. It also prevents the user from viewing this information by
removing the user's rights to do so. Furthermore it constantly
monitors the registry and prevents any attempts to remove its
associated values. This makes it very difficult for the user to
manually remove it
Close Ad-Aware 6 build 181 and Ad-Watch (if running)
- Download the free VX2 Cleaner at
http://www.lavasoft.de/software/plugins/vx2cleaner.shtml
- Install the VX2 Cleaner
- Start Ad-Aware 6 build 181
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".
also..................
New CWS variant that hijacks you to res://<random>.dll/sp.html#96676.
Here are some other links which may shed some extra light:
http://forums.spywareinfo.com/index.php?showtopic=8847
http://forums.spywareinfo.com/index.php?showtopic=7447
http://forums.spywareinfo.com/index.php?showtopic=7261
http://forums.spywareinfo.com/index.php?showtopic=7281
How you know you have it : When you start up Internet Explorer it takes a
few seconds to load and in the address bar it starts with res://<Random
..dll>
Per Merijn - http://www.spywareinfo.com/~merijn/index.html
A solution is being worked on, see this thread on the SWI forums.
http://forums.spywareinfo.com/index.php?showtopic=7447
If it's not working for you, or it's too complicated, I heard from several
people that this workaround works as well:
Open the DLL you get hijacked to in Notepad
Select all content (Ctrl-A) and delete it
Save the file and exit Notepad
Find the file in Explorer, right-click it, select Properties, put a
checkmark in 'Read-Only' and click OK.
If you can't find the DLL file, make sure your settings allow you to view
"Hidden files". Open up any explorer windows and click on "Tools", "Folder
Options", "View" and be sure to check off "Show Hidden Files and Folders
also....................................
Newest Website Malware
What You Should Know About Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
and..................
About:Buster - There is also a removal tool and get it here.
http://tools.zerosrealm.com/AboutBuster.zip
Hope this helps.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
J
JethroUK©
thanx - i been struggling with it for a week now - ended up reinstalling ie
& it seems to be gone now - i will try the plug-in if it comes back
& it seems to be gone now - i will try the plug-in if it comes back
J
Jan Il
Hi JethroUK©
If it is a virus, it will be back. If it wasn't, then that may cure it.
;-))
Thank you for letting us know what helped resolve your problem, and for the
benefit of other readers.
Jan
If it is a virus, it will be back. If it wasn't, then that may cure it.
;-))
Thank you for letting us know what helped resolve your problem, and for the
benefit of other readers.
Jan
J
JethroUK©
Jan Il said:Hi JethroUK©
If it is a virus, it will be back. If it wasn't, then that may cure it.
;-))
Thank you for letting us know what helped resolve your problem, and for the
benefit of other readers.
Jan
just to elaborate (if anyone else is suffering) - my browser got hijacked by
the new cool web about a week ago - i ran Adaware (usually does the trick),
it found all the usual suspects and deleted them - my browser ran fine all
day, only for it to return next day - over the week i scoured the web for
info about this new hijacker, kept running adaware everyday, but it always
returned, read some lengthy posts which never found a cure - downloaded and
ran CWShredder which had no effect at all - i did notice that the 'hosts'
file was write protected & it stopped working (as if it was being
by-passed), also noticed some suspicious pointing towards 'iexplorer.exe',
which made me wonder whether it had actually corrupted Internet explorer
itself
shut down my internet connection
ran adaware
reinstalled internet explorer
rebooted
2 days in and all still peachy with one exception - 'hosts' file still
doesn't work
let you know if it comes back - otherwise consider it cured
J
Jan Il
Hi JethroUK©
Thank you for the follow up on the method of removal. I might add that the
plug-in for AdAware became available day before yesterday. And yes, that
viurs is a real bugger to get rid of. You might keep the information on
that add-in handy in case someone you know happens to get it. As you now
know, the regular AdAware without it won't do the trick. It has to have to
add-in to cure it.
Good luck, and I am hoping it is gone for good!)
Jan
Thank you for the follow up on the method of removal. I might add that the
plug-in for AdAware became available day before yesterday. And yes, that
viurs is a real bugger to get rid of. You might keep the information on
that add-in handy in case someone you know happens to get it. As you now
know, the regular AdAware without it won't do the trick. It has to have to
add-in to cure it.
Good luck, and I am hoping it is gone for good!
)Jan
J
JethroUK©
update: - it's back 
( tried the plug-in but it makes no difference at
all - adaware cant cure it - starting to look elsewhere - let you know if i
find a cure, but it's looking like total windows reinstall (which i could've
done 10 times by now)
( tried the plug-in but it makes no difference atall - adaware cant cure it - starting to look elsewhere - let you know if i
find a cure, but it's looking like total windows reinstall (which i could've
done 10 times by now
)
J
Jan Il
Hi JethroUK©
You've got that dang nasty one....<sigh>
Try this following and see if this helps. We're still searching and I'm
hoping to locate the one that is now being used, but, they moved it. Use
unhidden files.
RUN EVERY THING IN SAFE MODE AND REBOOT INBETWEEN RUNS. YOU MAY HAVE TO RUN
THEM SEVERAL TIMES.
CoolWWWSearch.SmartKiller (v1 and v2) variant of CoolWWWSearch. When
running, it will close every browser window you use to visit a large list of
anti-spyware-sites, and even will close Spybot-S&D and some other
anti-spyware applications as well.
CWS.SmartKiller removal utility
http://www.safer-networking.org/files/delcwssk.zip
or..................
CWShredder Related Quote
Courtesy of Jim Byrd:
Sounds like this might be a variant of some malware called CoolWebSearch (if
CWShredder doesn't fix it, then see AdAware, SpyBot, and HijackThis, below,
in that order). Do the following:
Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)
The process of removing certain malware may kill your internet connection.
If this should occur, this program, LSPFIX, will enable you to regain your
connection. The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.
Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip
BE SURE that you get v.158 or later!
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various functions:
HOW TO Restart in Safe Mode
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406>
HOW TO Enable Hidden Files
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339>
HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039>
(WinXP)
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239>
(WinME)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.
Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Unzip the downloaded HijackThis to any convenient folder, start it then
press Scan. Click on SaveLog when it's finished which will create
hijackthis.log. Now click the Config button, then Misc Tools and click on
Generate StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Jim Eshelman's site here:
HiJackThis section:
http://forum.aumha.org/
Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended
Finally, go to Windows Update and ensure that ALL Critical updates are
installed.
Hope this helps.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
update: - it's back
at
all - adaware cant cure it - starting to look elsewhere - let you
know if i find a cure, but it's looking like total windows reinstall
(which i could've done 10 times by now
You've got that dang nasty one....<sigh>
Try this following and see if this helps. We're still searching and I'm
hoping to locate the one that is now being used, but, they moved it. Use
unhidden files.
RUN EVERY THING IN SAFE MODE AND REBOOT INBETWEEN RUNS. YOU MAY HAVE TO RUN
THEM SEVERAL TIMES.
CoolWWWSearch.SmartKiller (v1 and v2) variant of CoolWWWSearch. When
running, it will close every browser window you use to visit a large list of
anti-spyware-sites, and even will close Spybot-S&D and some other
anti-spyware applications as well.
CWS.SmartKiller removal utility
http://www.safer-networking.org/files/delcwssk.zip
or..................
CWShredder Related Quote
Courtesy of Jim Byrd:
Sounds like this might be a variant of some malware called CoolWebSearch (if
CWShredder doesn't fix it, then see AdAware, SpyBot, and HijackThis, below,
in that order). Do the following:
Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)
The process of removing certain malware may kill your internet connection.
If this should occur, this program, LSPFIX, will enable you to regain your
connection. The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.
Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip
BE SURE that you get v.158 or later!
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various functions:
HOW TO Restart in Safe Mode
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406>
HOW TO Enable Hidden Files
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339>
HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039>
(WinXP)
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239>
(WinME)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.
Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Unzip the downloaded HijackThis to any convenient folder, start it then
press Scan. Click on SaveLog when it's finished which will create
hijackthis.log. Now click the Config button, then Misc Tools and click on
Generate StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Jim Eshelman's site here:
HiJackThis section:
http://forum.aumha.org/
Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended
Finally, go to Windows Update and ensure that ALL Critical updates are
installed.
Hope this helps.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
J
JethroUK©
cured by About Buster (nothing else):
http://tools.zerosrealm.com/AboutBuster.zip
Brilliant!
http://tools.zerosrealm.com/AboutBuster.zip
Brilliant!
Jan Il said:Hi JethroUK©
You've got that dang nasty one....<sigh>
Try this following and see if this helps. We're still searching and I'm
hoping to locate the one that is now being used, but, they moved it. Use
unhidden files.
RUN EVERY THING IN SAFE MODE AND REBOOT INBETWEEN RUNS. YOU MAY HAVE TO RUN
THEM SEVERAL TIMES.
CoolWWWSearch.SmartKiller (v1 and v2) variant of CoolWWWSearch. When
running, it will close every browser window you use to visit a large list of
anti-spyware-sites, and even will close Spybot-S&D and some other
anti-spyware applications as well.
CWS.SmartKiller removal utility
http://www.safer-networking.org/files/delcwssk.zip
or..................
CWShredder Related Quote
Courtesy of Jim Byrd:
Sounds like this might be a variant of some malware called CoolWebSearch (if
CWShredder doesn't fix it, then see AdAware, SpyBot, and HijackThis, below,
in that order). Do the following:
Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)
The process of removing certain malware may kill your internet connection.
If this should occur, this program, LSPFIX, will enable you to regain your
connection. The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.
Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip
BE SURE that you get v.158 or later!
You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.
The following links give instructions on how to do these various functions:
HOW TO Restart in Safe Mode
(WinME)
Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.
Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).
Be sure that you also download and install hotfix Q816093, here:
http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.
Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
If they don't fix it then start here:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b5529
82a8baee6434cfc13
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Unzip the downloaded HijackThis to any convenient folder, start it then
press Scan. Click on SaveLog when it's finished which will create
hijackthis.log. Now click the Config button, then Misc Tools and click on
Generate StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Jim Eshelman's site here:
HiJackThis section:
http://forum.aumha.org/
Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/
or Net-Integration here:
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57
b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended
Finally, go to Windows Update and ensure that ALL Critical updates are
installed.
Hope this helps.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
J
Jan Il
Hi JethroUK©
Wonderful! Now go forth and help slay more of those nasty dragons.
Jan
Wonderful! Now go forth and help slay more of those nasty dragons.
Jan
Jan Il said:Hi JethroUK©
You've got that dang nasty one....<sigh>
Try this following and see if this helps. We're still searching and
I'm hoping to locate the one that is now being used, but, they moved
it. Use unhidden files.
RUN EVERY THING IN SAFE MODE AND REBOOT INBETWEEN RUNS. YOU MAY
HAVE TO RUN THEM SEVERAL TIMES.
CoolWWWSearch.SmartKiller (v1 and v2) variant of CoolWWWSearch. When
running, it will close every browser window you use to visit a large
list of anti-spyware-sites, and even will close Spybot-S&D and some
other anti-spyware applications as well.
CWS.SmartKiller removal utility
http://www.safer-networking.org/files/delcwssk.zip
or..................
CWShredder Related Quote
Courtesy of Jim Byrd:
Sounds like this might be a variant of some malware called
CoolWebSearch (if CWShredder doesn't fix it, then see AdAware,
SpyBot, and HijackThis, below, in that order). Do the following:
Before you try to remove spyware using any of the programs below,
download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is
Win2k or XP)
The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable
you to regain your connection. The process of removing certain
malware may kill your internet connection. If this should occur,
this program, LSPFIX, will enable you to regain your connection.
Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the
parasite. Be sure to close all instances of IE and OE. You may
also get it here if that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
BE SURE that you get v.158 or later!
You will need to show Hidden files first and then at the end clear
the malware garbage from your System Restore backups after you've
cleaned up. It's best to perform CWShredder (and most other malware
fixers too) from Safe mode and then reboot. AFTER cleaning things
up, then you can disable and then re-enable System Restore. See
******** below.
The following links give instructions on how to do these various
functions:
HOW TO Restart in Safe Modehttp://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b5529http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the
removal of your parasite(s).
*******
ONLY IF you've successfully eliminated the malware, you can now make
a new, clean Restore Point and delete any previously saved (possibly
infected) ones. The following suggested approach is courtesy of Gary
Woodruff: For XP you can run a Disk Cleanup cycle and then look in
the More Options tab. The System Restore option removes all but the
latest Restore Point. If there hasn't been one made since the system
was cleaned you should manually create one before dumping the old
possibly infected ones. *******
Once you get this cleaned up, you might want to consider installing
the SpywareBlaster and SpywareGuard here to help prevent this kind
of thing from happening in the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents
malware Active X installs) (BTW, SpyWare Blaster is not memory
resident ... no CPU or memory load - but keep it UPDATED) The latest
version as of this writing will prevent installation or prevent the
malware from running if it is already installed, and it provides
information and fixit-links for a variety of parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for
attempts to install malware) Keep it UPDATED. Both Very Highly
Recommended
Finally, go to Windows Update and ensure that ALL Critical updates
are installed.
Hope this helps.
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html