Re: abosearch.com browser hijacker (I think)

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 03/13/05 

Date: Sun, 13 Mar 2005 20:58:20 GMT

From: "Macsicarr" <nospam@none.nl>

| Hi All
|
| My friend's WinXP SP1 machine has Microsoft Anti-Spyware Beta (latest
| updates), AVG 7.0 free (latest updates) and the built-in firewall on, but
| has been infested with some kind of virus/trojan that does the following:
|
| 1) Always tries to bounce their browser to www.absoearch.com
|
| 2) Shows bogus pages in their browser asking them to send login details such
| as Tiscali, etc
|
| 3) Fills their hosts file with hundreds of crap web sites
|
| I've MS Anti-Spywared it, AdAware-d it, SpyBot-ed it, AVG 7-d it,
| CoolWebShredded it, looked in the Add/Remove Progs and the MSConfig startup
| list, but I can't get rid of the above problem.
|
| When I did a HijackThis it found and deleted the offending abosearch
| entries, but then when you restart back they come.
|
| If possible, could you please let me know of a solution.
|
| Many thanks.
|
| Regards Mac
|

Mac:

Please consider Cross-Posting ( as I have done in this reply ) instead of Mult-Posting to
pertinent News Groups. It also helps to then set a follow-up to one of those News Groups as
I have set the followup-to; alt.privacy.spyware ,
This way all replies go to one News Group most apropos to the problem and you don't separate
answers to the one problem in all different places.

You did not mention the version of Ad-aware and SpyBot. If you have Ad-aware SE v1.05 and
SpyBot S&D v1.3 already, ignore the parts about downloading them, just apply the suggested
way of executing them.

Please read the following Microsft URL on "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

BHODemon -- http://www.definitivesolutions.com/bhodemon.htm

1) Download the following three items...

         Trend Sysclean Package
         http://www.trendmicro.com/download/dcs.asp

         Latest Trend signature files.
         http://www.trendmicro.com/download/pattern.asp

         Ad-aware SE (free personal version v1.05)
         http://www.lavasoftusa.com/

         BHODemon
         http://www.definitivesolutions.com/bhodemon.htm

         SpyBot Search and Destroy (v1.3)
         http://www.safer-networking.org/en/download/index.html

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt488.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
        http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using SpyBot S&D, Trend Sysclean and Ad-aware, perform a Full Scan of your
        platform and clean/delete any infectors/parasites found.
        (a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
        Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
        System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Execute BHODemon and see if there are any malware Browser Helper Objeccts.
9) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * * 

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html

Relevant Pages

  • Re: "search everything" virus
    ... Download Ad-aware from here: http://www.lavasoftusa.com/software/adaware ... Install by double-clicking on the downloaded file. ... update Ad-aware by using its Globe ... Press "Search for updates" button to get list of updates available. ...
    (microsoft.public.security.virus)
  • Re: Trojan.Requitor virus
    ... Download Ad-aware from here: http://www.lavasoftusa.com/software/adaware ... Install by double-clicking on the downloaded file. ... update Ad-aware by using its Globe ... Press "Search for updates" button to get list of updates available. ...
    (microsoft.public.security.virus)
  • RE: Unruly user does dangerous things...
    ... a limited account in WinXP Home, and switched him over to Yahoo! ... encountered in WinXP came from installing those MS updates! ... automatically dial in and download all the updates starting at ... I'd install Firefox and Thunderbird (or ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: MS updates & new errors on websites
    ... Download the free version of Ad-Aware 6 at: ... After downloading and installing the free version of Ad-Aware 6, ... Check for Updates Now on the main screen. ...
    (microsoft.public.windowsxp.general)
  • Re: cant access most links or pages
    ... strange that all these problems started after the latest updates were ... I even tried to download Firefox, ... and type SFC (msconfig for WinXP). ... Choose 'Extract One File From Installation Disk'. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)