Ted Dorner
07-09-2005, 11:13 PM
I have a similiar problem, my home page resets to about:blank and the display
show something entitled "quick web search" with a box to put a search term
and a lot of links to click on. It also shows a link titled "unistall
homepage" when I click on it to directs to me web sites wanting to sell me
spy ware software etc. serveral of the sites that come up are
www.spyfighter.com and www.pcadprotector.cc/?qq
I've tried runnibg some of the software below in safe mode several times,
the software deletes detected files, however they come right back. Are you
supposed to run all the software listed i.e. spybot, lavasoft,
cwshredder,about buster??? or just use one? Appreciate any advise you have.
Thanks, Ted
"Jan Il" wrote:
> Hi deerbuck :-)
>
> > I am using a blank page for my home page. The address bar displays
> > "about:blank". Is this normal?
>
> This may be a newer variant of about: blank. Methods that previously
> removed the previous variant may not have any effect on it. Try the
> following and follow and instructions carefully to clean your system fully.
> This variant replicates itself, thus, you must fully clean it from your
> system. This coolwebsearch infection uses a hidden dll to reinfect, thus it
> replicates itself over and over if not removed properly.
>
> <<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>
>
> CAUTION!!!!!
> Before you try to remove spyware using any of the programs below, download a
> copy of LSPFIX from any of the following sites:
> http://www.cexx.org/lspfix.htm
> http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
> XP) The process of removing certain malware may kill your internet
> connection. If this should occur, this program, LSPFIX, will enable you to
> regain your connection.
>
> Also, get a copy of WINSOCKFIX available at:
> http://www.spychecker.com/program/winsockxpfix.html
>
>
> IMPORTANT!!
> RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
> FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
> ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT
>
> HOW TO Restart in Safe Mode
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> About Buster
> http://www.majorgeeks.com/download4289.html
>
> CWShredder
> http://www.majorgeeks.com/download4086.html
>
> SpyBot Search & Destroy: Free
> http://download.com.com/3000-8022-10289035.html?tag=lst-0-2
>
> AdAware: Free
> http://www.lavasoftusa.com/support/download/
> HOW TO: Reconfigure Ad-aware for a Full Scan
> http://forum.aumha.org/viewtopic.php?t=5877
>
> HiJackThis:
>
> Unzip the Download file in a NEW FOLDER that you can create before you start
> the download.
> DO NOT install in your Desktop folder.
> DO NOT use any of the TEMP folders that are presently in your computer.
> Double-click "HijackThis.exe" and Press "Scan".
>
> Go to:
> http://www.majorgeeks.com/download3155.html
> and download HiJackThis to the new folder. Unzip to a folder other than your
> Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".
>
> When the scan is finished, the "Scan" button will change into a "Save Log"
> button. Press that, save the log some place you remember where it is.
> Most of what it lists will be harmless or even required, so DO NOT fix
> anything yet.
>
> Open the copy of your log in NotePad and make a copy. Then you can go to one
> of the following to post your log:
>
> <<PLEASE DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>
>
> Spyware and Hijackware Removal Support, here:
> http://216.180.233.162/~swicom/forums/
>
> or Net-Integration here:
> http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
> or Tom Coyote here:
> http://forums.tomcoyote.org/index.php?act=idx
>
> You will need to register to open a new thread to post you log. It is free,
> and no one will Spam you, it is one of many that provides this service. Once
> registered, go to the HiJackThis section on the forum list and click to
> open. Then start a new post and post your log. The experts there will
> analyze the log and report back the results. Please allow at least a few
> hours or a days time for a response, depending on when you post the log
>
> Remember, you must return to the HJT site to get your answer. It is a good
> idea to click the "Notify" box so that you will get an electronic
> notification by e-mail to let you know when a response has been posted.
> But, you must still return to the site of your answer
>
> Finally, go to Windows Update and ensure that ALL Critical updates are
> installed.
>
> If the above does not resovle the problem, then it may be a more recent
> variant so go to the next step and follow all instructions carefully:
>
> New ABOUT:BLANK CWS variant removal tool:
>
> Like any disinfection procedure, it's a bit risky - it deletes an important
> registry key and subsequently restores a revised version. If something goes
> wrong, your PC may no longer work normally.
>
> YOU USE THIS PROCEDURE AT YOUR OWN RISK!
>
> Download Registrar Lite 2.0, install it and run it.
> http://www.majorgeeks.com/download469.html
> http://www.softpedia.com/public/cat/12/5/12-5-21.shtml
>
> Navigate to this key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
> (note...should be all on one line)
> and look at the AppInit_Dlls value.
>
> Write down the name of the DLL file that's displayed!
>
> (If you see several values separated by commas or spaces, which is unlikely,
> use Windows Explorer to search for each one in the Windows\System32 or
> Winnt\System32 directory. The one you can't find is the one to remember!)
>
> Exit Registrar Lite.
>
>
> Download and run this script. It will delete the CWS AppInit_Dlls value and
> reboot Windows. After the reboot, the shield-DLL file is still on the hard
> disk, but it's no longer a threat to your PC.
> http://www.silentrunners.org/CWS%20Shield%20Dropper.vbs
>
> Download Silent Runners here:
> http://www.silentrunners.org/Silent%20Runners.vbs
> Run it and look at the list of Browser Helper Objects. One of them will have
> a strange name. Write down the the file name (including the full path)!
>
> (If you're not sure which BHO was installed by CWS, reboot into Safe Mode
> and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
> also available to identify and delete BHO pests.)
>
> Download and run this script to delete the CWS shield-DLL and the BHO files.
> No reboot will be required.
> http://www.silentrunners.org/CWS%20File%20Cleaner.vbs
>
> Reset your Internet Explorer home page. Your PC should now run normally.
>
> If these steps do not resolve your problem, please post back to this thread
> with the details and any error messages.
>
> Hope this helps
>
> Jan :)
> Smiles are meant to be shared,
> that's why they're so contagious.
>
> Please reply to the newsgroup so others may benefit.
> Replies are posted only to the newsgroup for the benefit or other readers.
>
> How to make a good newsgroup post:
> http://www.dts-l.org/goodpost.htm
>
>
>
>
>
>
show something entitled "quick web search" with a box to put a search term
and a lot of links to click on. It also shows a link titled "unistall
homepage" when I click on it to directs to me web sites wanting to sell me
spy ware software etc. serveral of the sites that come up are
www.spyfighter.com and www.pcadprotector.cc/?qq
I've tried runnibg some of the software below in safe mode several times,
the software deletes detected files, however they come right back. Are you
supposed to run all the software listed i.e. spybot, lavasoft,
cwshredder,about buster??? or just use one? Appreciate any advise you have.
Thanks, Ted
"Jan Il" wrote:
> Hi deerbuck :-)
>
> > I am using a blank page for my home page. The address bar displays
> > "about:blank". Is this normal?
>
> This may be a newer variant of about: blank. Methods that previously
> removed the previous variant may not have any effect on it. Try the
> following and follow and instructions carefully to clean your system fully.
> This variant replicates itself, thus, you must fully clean it from your
> system. This coolwebsearch infection uses a hidden dll to reinfect, thus it
> replicates itself over and over if not removed properly.
>
> <<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>
>
> CAUTION!!!!!
> Before you try to remove spyware using any of the programs below, download a
> copy of LSPFIX from any of the following sites:
> http://www.cexx.org/lspfix.htm
> http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
> XP) The process of removing certain malware may kill your internet
> connection. If this should occur, this program, LSPFIX, will enable you to
> regain your connection.
>
> Also, get a copy of WINSOCKFIX available at:
> http://www.spychecker.com/program/winsockxpfix.html
>
>
> IMPORTANT!!
> RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
> FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
> ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT
>
> HOW TO Restart in Safe Mode
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> About Buster
> http://www.majorgeeks.com/download4289.html
>
> CWShredder
> http://www.majorgeeks.com/download4086.html
>
> SpyBot Search & Destroy: Free
> http://download.com.com/3000-8022-10289035.html?tag=lst-0-2
>
> AdAware: Free
> http://www.lavasoftusa.com/support/download/
> HOW TO: Reconfigure Ad-aware for a Full Scan
> http://forum.aumha.org/viewtopic.php?t=5877
>
> HiJackThis:
>
> Unzip the Download file in a NEW FOLDER that you can create before you start
> the download.
> DO NOT install in your Desktop folder.
> DO NOT use any of the TEMP folders that are presently in your computer.
> Double-click "HijackThis.exe" and Press "Scan".
>
> Go to:
> http://www.majorgeeks.com/download3155.html
> and download HiJackThis to the new folder. Unzip to a folder other than your
> Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".
>
> When the scan is finished, the "Scan" button will change into a "Save Log"
> button. Press that, save the log some place you remember where it is.
> Most of what it lists will be harmless or even required, so DO NOT fix
> anything yet.
>
> Open the copy of your log in NotePad and make a copy. Then you can go to one
> of the following to post your log:
>
> <<PLEASE DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>
>
> Spyware and Hijackware Removal Support, here:
> http://216.180.233.162/~swicom/forums/
>
> or Net-Integration here:
> http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
> or Tom Coyote here:
> http://forums.tomcoyote.org/index.php?act=idx
>
> You will need to register to open a new thread to post you log. It is free,
> and no one will Spam you, it is one of many that provides this service. Once
> registered, go to the HiJackThis section on the forum list and click to
> open. Then start a new post and post your log. The experts there will
> analyze the log and report back the results. Please allow at least a few
> hours or a days time for a response, depending on when you post the log
>
> Remember, you must return to the HJT site to get your answer. It is a good
> idea to click the "Notify" box so that you will get an electronic
> notification by e-mail to let you know when a response has been posted.
> But, you must still return to the site of your answer
>
> Finally, go to Windows Update and ensure that ALL Critical updates are
> installed.
>
> If the above does not resovle the problem, then it may be a more recent
> variant so go to the next step and follow all instructions carefully:
>
> New ABOUT:BLANK CWS variant removal tool:
>
> Like any disinfection procedure, it's a bit risky - it deletes an important
> registry key and subsequently restores a revised version. If something goes
> wrong, your PC may no longer work normally.
>
> YOU USE THIS PROCEDURE AT YOUR OWN RISK!
>
> Download Registrar Lite 2.0, install it and run it.
> http://www.majorgeeks.com/download469.html
> http://www.softpedia.com/public/cat/12/5/12-5-21.shtml
>
> Navigate to this key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
> (note...should be all on one line)
> and look at the AppInit_Dlls value.
>
> Write down the name of the DLL file that's displayed!
>
> (If you see several values separated by commas or spaces, which is unlikely,
> use Windows Explorer to search for each one in the Windows\System32 or
> Winnt\System32 directory. The one you can't find is the one to remember!)
>
> Exit Registrar Lite.
>
>
> Download and run this script. It will delete the CWS AppInit_Dlls value and
> reboot Windows. After the reboot, the shield-DLL file is still on the hard
> disk, but it's no longer a threat to your PC.
> http://www.silentrunners.org/CWS%20Shield%20Dropper.vbs
>
> Download Silent Runners here:
> http://www.silentrunners.org/Silent%20Runners.vbs
> Run it and look at the list of Browser Helper Objects. One of them will have
> a strange name. Write down the the file name (including the full path)!
>
> (If you're not sure which BHO was installed by CWS, reboot into Safe Mode
> and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
> also available to identify and delete BHO pests.)
>
> Download and run this script to delete the CWS shield-DLL and the BHO files.
> No reboot will be required.
> http://www.silentrunners.org/CWS%20File%20Cleaner.vbs
>
> Reset your Internet Explorer home page. Your PC should now run normally.
>
> If these steps do not resolve your problem, please post back to this thread
> with the details and any error messages.
>
> Hope this helps
>
> Jan :)
> Smiles are meant to be shared,
> that's why they're so contagious.
>
> Please reply to the newsgroup so others may benefit.
> Replies are posted only to the newsgroup for the benefit or other readers.
>
> How to make a good newsgroup post:
> http://www.dts-l.org/goodpost.htm
>
>
>
>
>
>