karal
07-09-2005, 11:11 PM
Don't know how to thank you enough. Have been struggling with a few problems
including browser and homepage being hijacked to about:blank. Followed your
instructions and the probelm seems to be gone. Internet expxlorer is now
working perfectly. Thanks again.
"Jan Il" wrote:
> Hi deerbuck :-)
>
> > I am using a blank page for my home page. The address bar displays
> > "about:blank". Is this normal?
>
> This may be a newer variant of about: blank. Methods that previously
> removed the previous variant may not have any effect on it. Try the
> following and follow and instructions carefully to clean your system fully.
> This variant replicates itself, thus, you must fully clean it from your
> system. This coolwebsearch infection uses a hidden dll to reinfect, thus it
> replicates itself over and over if not removed properly.
>
> <<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>
>
> CAUTION!!!!!
> Before you try to remove spyware using any of the programs below, download a
> copy of LSPFIX from any of the following sites:
> http://www.cexx.org/lspfix.htm
> http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
> XP) The process of removing certain malware may kill your internet
> connection. If this should occur, this program, LSPFIX, will enable you to
> regain your connection.
>
> Also, get a copy of WINSOCKFIX available at:
> http://www.spychecker.com/program/winsockxpfix.html
>
>
> IMPORTANT!!
> RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
> FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
> ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT
>
> HOW TO Restart in Safe Mode
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> About Buster
> http://www.majorgeeks.com/download4289.html
>
> CWShredder
> http://www.majorgeeks.com/download4086.html
>
> SpyBot Search & Destroy: Free
> http://download.com.com/3000-8022-10289035.html?tag=lst-0-2
>
> AdAware: Free
> http://www.lavasoftusa.com/support/download/
> HOW TO: Reconfigure Ad-aware for a Full Scan
> http://forum.aumha.org/viewtopic.php?t=5877
>
> HiJackThis:
>
> Unzip the Download file in a NEW FOLDER that you can create before you start
> the download.
> DO NOT install in your Desktop folder.
> DO NOT use any of the TEMP folders that are presently in your computer.
> Double-click "HijackThis.exe" and Press "Scan".
>
> Go to:
> http://www.majorgeeks.com/download3155.html
> and download HiJackThis to the new folder. Unzip to a folder other than your
> Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".
>
> When the scan is finished, the "Scan" button will change into a "Save Log"
> button. Press that, save the log some place you remember where it is.
> Most of what it lists will be harmless or even required, so DO NOT fix
> anything yet.
>
> Open the copy of your log in NotePad and make a copy. Then you can go to one
> of the following to post your log:
>
> <<PLEASE DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>
>
> Spyware and Hijackware Removal Support, here:
> http://216.180.233.162/~swicom/forums/
>
> or Net-Integration here:
> http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
> or Tom Coyote here:
> http://forums.tomcoyote.org/index.php?act=idx
>
> You will need to register to open a new thread to post you log. It is free,
> and no one will Spam you, it is one of many that provides this service. Once
> registered, go to the HiJackThis section on the forum list and click to
> open. Then start a new post and post your log. The experts there will
> analyze the log and report back the results. Please allow at least a few
> hours or a days time for a response, depending on when you post the log
>
> Remember, you must return to the HJT site to get your answer. It is a good
> idea to click the "Notify" box so that you will get an electronic
> notification by e-mail to let you know when a response has been posted.
> But, you must still return to the site of your answer
>
> Finally, go to Windows Update and ensure that ALL Critical updates are
> installed.
>
> If the above does not resovle the problem, then it may be a more recent
> variant so go to the next step and follow all instructions carefully:
>
> New ABOUT:BLANK CWS variant removal tool:
>
> Like any disinfection procedure, it's a bit risky - it deletes an important
> registry key and subsequently restores a revised version. If something goes
> wrong, your PC may no longer work normally.
>
> YOU USE THIS PROCEDURE AT YOUR OWN RISK!
>
> Download Registrar Lite 2.0, install it and run it.
> http://www.majorgeeks.com/download469.html
> http://www.softpedia.com/public/cat/12/5/12-5-21.shtml
>
> Navigate to this key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
> (note...should be all on one line)
> and look at the AppInit_Dlls value.
>
> Write down the name of the DLL file that's displayed!
>
> (If you see several values separated by commas or spaces, which is unlikely,
> use Windows Explorer to search for each one in the Windows\System32 or
> Winnt\System32 directory. The one you can't find is the one to remember!)
>
> Exit Registrar Lite.
>
>
> Download and run this script. It will delete the CWS AppInit_Dlls value and
> reboot Windows. After the reboot, the shield-DLL file is still on the hard
> disk, but it's no longer a threat to your PC.
> http://www.silentrunners.org/CWS%20Shield%20Dropper.vbs
>
> Download Silent Runners here:
> http://www.silentrunners.org/Silent%20Runners.vbs
> Run it and look at the list of Browser Helper Objects. One of them will have
> a strange name. Write down the the file name (including the full path)!
>
> (If you're not sure which BHO was installed by CWS, reboot into Safe Mode
> and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
> also available to identify and delete BHO pests.)
>
> Download and run this script to delete the CWS shield-DLL and the BHO files.
> No reboot will be required.
> http://www.silentrunners.org/CWS%20File%20Cleaner.vbs
>
> Reset your Internet Explorer home page. Your PC should now run normally.
>
> If these steps do not resolve your problem, please post back to this thread
> with the details and any error messages.
>
> Hope this helps
>
> Jan :)
> Smiles are meant to be shared,
> that's why they're so contagious.
>
> Please reply to the newsgroup so others may benefit.
> Replies are posted only to the newsgroup for the benefit or other readers.
>
> How to make a good newsgroup post:
> http://www.dts-l.org/goodpost.htm
>
>
>
>
>
>
including browser and homepage being hijacked to about:blank. Followed your
instructions and the probelm seems to be gone. Internet expxlorer is now
working perfectly. Thanks again.
"Jan Il" wrote:
> Hi deerbuck :-)
>
> > I am using a blank page for my home page. The address bar displays
> > "about:blank". Is this normal?
>
> This may be a newer variant of about: blank. Methods that previously
> removed the previous variant may not have any effect on it. Try the
> following and follow and instructions carefully to clean your system fully.
> This variant replicates itself, thus, you must fully clean it from your
> system. This coolwebsearch infection uses a hidden dll to reinfect, thus it
> replicates itself over and over if not removed properly.
>
> <<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>
>
> CAUTION!!!!!
> Before you try to remove spyware using any of the programs below, download a
> copy of LSPFIX from any of the following sites:
> http://www.cexx.org/lspfix.htm
> http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
> XP) The process of removing certain malware may kill your internet
> connection. If this should occur, this program, LSPFIX, will enable you to
> regain your connection.
>
> Also, get a copy of WINSOCKFIX available at:
> http://www.spychecker.com/program/winsockxpfix.html
>
>
> IMPORTANT!!
> RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
> FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
> ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT
>
> HOW TO Restart in Safe Mode
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> About Buster
> http://www.majorgeeks.com/download4289.html
>
> CWShredder
> http://www.majorgeeks.com/download4086.html
>
> SpyBot Search & Destroy: Free
> http://download.com.com/3000-8022-10289035.html?tag=lst-0-2
>
> AdAware: Free
> http://www.lavasoftusa.com/support/download/
> HOW TO: Reconfigure Ad-aware for a Full Scan
> http://forum.aumha.org/viewtopic.php?t=5877
>
> HiJackThis:
>
> Unzip the Download file in a NEW FOLDER that you can create before you start
> the download.
> DO NOT install in your Desktop folder.
> DO NOT use any of the TEMP folders that are presently in your computer.
> Double-click "HijackThis.exe" and Press "Scan".
>
> Go to:
> http://www.majorgeeks.com/download3155.html
> and download HiJackThis to the new folder. Unzip to a folder other than your
> Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".
>
> When the scan is finished, the "Scan" button will change into a "Save Log"
> button. Press that, save the log some place you remember where it is.
> Most of what it lists will be harmless or even required, so DO NOT fix
> anything yet.
>
> Open the copy of your log in NotePad and make a copy. Then you can go to one
> of the following to post your log:
>
> <<PLEASE DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>
>
> Spyware and Hijackware Removal Support, here:
> http://216.180.233.162/~swicom/forums/
>
> or Net-Integration here:
> http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
> or Tom Coyote here:
> http://forums.tomcoyote.org/index.php?act=idx
>
> You will need to register to open a new thread to post you log. It is free,
> and no one will Spam you, it is one of many that provides this service. Once
> registered, go to the HiJackThis section on the forum list and click to
> open. Then start a new post and post your log. The experts there will
> analyze the log and report back the results. Please allow at least a few
> hours or a days time for a response, depending on when you post the log
>
> Remember, you must return to the HJT site to get your answer. It is a good
> idea to click the "Notify" box so that you will get an electronic
> notification by e-mail to let you know when a response has been posted.
> But, you must still return to the site of your answer
>
> Finally, go to Windows Update and ensure that ALL Critical updates are
> installed.
>
> If the above does not resovle the problem, then it may be a more recent
> variant so go to the next step and follow all instructions carefully:
>
> New ABOUT:BLANK CWS variant removal tool:
>
> Like any disinfection procedure, it's a bit risky - it deletes an important
> registry key and subsequently restores a revised version. If something goes
> wrong, your PC may no longer work normally.
>
> YOU USE THIS PROCEDURE AT YOUR OWN RISK!
>
> Download Registrar Lite 2.0, install it and run it.
> http://www.majorgeeks.com/download469.html
> http://www.softpedia.com/public/cat/12/5/12-5-21.shtml
>
> Navigate to this key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
> (note...should be all on one line)
> and look at the AppInit_Dlls value.
>
> Write down the name of the DLL file that's displayed!
>
> (If you see several values separated by commas or spaces, which is unlikely,
> use Windows Explorer to search for each one in the Windows\System32 or
> Winnt\System32 directory. The one you can't find is the one to remember!)
>
> Exit Registrar Lite.
>
>
> Download and run this script. It will delete the CWS AppInit_Dlls value and
> reboot Windows. After the reboot, the shield-DLL file is still on the hard
> disk, but it's no longer a threat to your PC.
> http://www.silentrunners.org/CWS%20Shield%20Dropper.vbs
>
> Download Silent Runners here:
> http://www.silentrunners.org/Silent%20Runners.vbs
> Run it and look at the list of Browser Helper Objects. One of them will have
> a strange name. Write down the the file name (including the full path)!
>
> (If you're not sure which BHO was installed by CWS, reboot into Safe Mode
> and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
> also available to identify and delete BHO pests.)
>
> Download and run this script to delete the CWS shield-DLL and the BHO files.
> No reboot will be required.
> http://www.silentrunners.org/CWS%20File%20Cleaner.vbs
>
> Reset your Internet Explorer home page. Your PC should now run normally.
>
> If these steps do not resolve your problem, please post back to this thread
> with the details and any error messages.
>
> Hope this helps
>
> Jan :)
> Smiles are meant to be shared,
> that's why they're so contagious.
>
> Please reply to the newsgroup so others may benefit.
> Replies are posted only to the newsgroup for the benefit or other readers.
>
> How to make a good newsgroup post:
> http://www.dts-l.org/goodpost.htm
>
>
>
>
>
>