Re: Bookmaker.F Virus residue

From: Mike Burgess (winhelp2002_at_spamthis.com)
Date: 03/31/04 

Date: Tue, 30 Mar 2004 19:44:42 -0500

News,
Trojan.Bookmaker.F = Coolwebsearch trojan

How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch

Note: this type hijack indicates an unpatched machine, that is lacking
in "Defense". Please visit Windows Update to avoid these exploits.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 03-27-04]
Please post replies to this Newsgroup, email address is invalid 

--
"News" <news@direcway.com> wrote in message
news:et7vOAfFEHA.3252@TK2MSFTNGP11.phx.gbl...
> My computer got infected with the Trojan.Bookmaker.F virus. I followed the
> instructions for removal and am left with this quirky problem. When I
delete
> the Hosts.text file and the about:blank and open Internet Explorer the
start
> page is what I entered. As soon as I reboot the computer the hosts.text
file
> gets regenerated and the Start Page gets reset to about:blank. (if I click
> the "about:blank" on IE nothing happens). I've rescanned the computer via
> Symantec. It says the computer is virus free. I've looked at the startup
> process via msconfig and can't Id any problem file. Any help would be
> appreciated.
>
>
>
> Thank you
>
> Bob
>
>
>
>
>
> Hosts file that gets regenerated on boot up
>
>
> C:\windows\system32\drivers\etc\hosts.text
>
> 127.0.0.1 local host
>
> 213.159.117.235 auto.search.msn.com
>
>
>
> Registry Entries
>
>
> These are wrong and keep getting reset on computer bootup
> HKCU/Software/ Microsoft/Internet Explorer/Main/Start Page = about: blank
>
> HKLM/Software/ Microsoft/Internet Explorer/Main/Start Page = about: blank
>
> HK_U/5-1-5-21/Software/Microsoft/Internet Explorer/Main/Start Page =
about:
> blank
>
>
>
> These are correct but are evidently not being used in IE.
>
> HK_U/Default/Software/Microsoft/Internet Explorer/Main/Start Page =
> www.direcway etc.
>
> HK_U/5-1-5-18/Software/Microsoft/Internet Explorer/Main/Start Page =
> www.direcway etc.
>
>
>
>
>
> Registry Values removed..no longer there
>
>
> HKLM\Classes\TypeLib\{53B95204-7D77-11D2-9F80-00104B107C96}
>
> HKCR\Interface\{53B95210-7D77-11D2-9F80-00104B107C96}
>
> HKCR\Xmlmimefilter.XMLMimeFilterPP.1
>
> HKCR\Clsid\{53B95211-7D77-11D2-9F80-00104B107C96}
>
>
>
> Registry Values not changed
>
>
> HKCR\PROTOCOLS\Handler\about\"Clsid" =
> "{53B95211-7D77-11D2-9F80-00104B107C96}"
>
> Note: There are no " " in the registry.
>
>
>
>
>
>

Relevant Pages

  • Re: search-direct.net
    ... search-direct.net = Coolwebsearch trojan ... this type hijack indicates an unpatched machine, ... Please visit Windows Update to avoid these exploits. ... > bunch of links for search-direct.net. ...
    (microsoft.public.security.virus)
  • Re: Norton Virus Report - C:WINDOWSFontswin.hta
    ... this type hijack indicates an unpatched machine, ... Please visit Windows Update to avoid these exploits. ... > scripts. ...
    (microsoft.public.security.virus)
  • Re: Home Page
    ... real-yellow-page.com = Coolwebsearch trojan ... this type hijack indicates an unpatched machine, ... Please visit Windows Update to avoid these exploits. ... >>ShaZaa from inserting itself as my home page. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: PLS HELP!! Think Ive been hacked!!!
    ... this type hijack indicates an unpatched machine, ... Please visit Windows Update to avoid these exploits. ... Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file ...
    (microsoft.public.security)
  • Re: cant set home page
    ... this type hijack indicates an unpatched machine, ... in "Defense". ... Please visit Windows Update to avoid these exploits. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
Quantcast