Hello,
My computer is infected with a trojan virus called norio. It started by a hacking file called coolwebsearch, or at least that's what I've found out by running Adaware and Spybot.
Apparantly Norton Antivirus 2005, nor Panda Antivirus are able to do anything about this Trojan. Can anyone help me out? I've been searching the net for a sollution for the last 4 days now (what a way to spend the New Year eh...). Not to say I'm desperate.
Many thanks in advance
Brgds
Thomas O'Malley
Full Version: www.coolwebsearch.com
Are you sure Norton can't do anything about it? Have you booted into Safe Mode before attempting to clean it?
http://securityresponse.symantec.com/avcen...ojan.norio.html
Follow these steps!
http://securityresponse.symantec.com/avcen...ojan.norio.html
Follow these steps!
QUOTE(asmit @ Jan 3 2005, 21:07)
Are you sure Norton can't do anything about it? Have you booted into Safe Mode before attempting to clean it?
http://securityresponse.symantec.com/avcen...ojan.norio.html
Follow these steps!
[right][snapback]585223873[/snapback][/right]
http://securityresponse.symantec.com/avcen...ojan.norio.html
Follow these steps!
[right][snapback]585223873[/snapback][/right]
I saw that page, but no... It didn't work...
CoolWebSearch is one of the worst Spyware infections. The latest variants use a Hidden DLL that is installed by taking over the file system's data stream and stealthing the DLL file. Some AntiVirus programs will detect and clean it from memory but as soon as your system is rebooted and another Internet connection made, it will reinstall itself. CWShredder 2.x removes this variant.
Here is the prog to clean it CWShredder
This will fix it
Here is the prog to clean it CWShredder
This will fix it
Sorry, here are the instructions, pretty easy! 
Instructions - Download, close all web browsers and run, select "I AGREE", "Fix" and "OK". After it is finished select "Next" to see if you were infected. Run CWShredder again to confirm all variants of CoolWebSearch have been removed.
Instructions - Download, close all web browsers and run, select "I AGREE", "Fix" and "OK". After it is finished select "Next" to see if you were infected. Run CWShredder again to confirm all variants of CoolWebSearch have been removed.
QUOTE
CoolWebSearch is one of the worst Spyware infections.
[right][snapback]585223898[/snapback][/right]
[right][snapback]585223898[/snapback][/right]
Wow, you were right!
http://www.adwarereport.com/mt/archives/000051.html
QUOTE(toejam @ Jan 3 2005, 21:14)
Sorry, here are the instructions, pretty easy!
Instructions - Download, close all web browsers and run, select "I AGREE", "Fix" and "OK". After it is finished select "Next" to see if you were infected. Run CWShredder again to confirm all variants of CoolWebSearch have been removed.
[right][snapback]585223912[/snapback][/right]
Instructions - Download, close all web browsers and run, select "I AGREE", "Fix" and "OK". After it is finished select "Next" to see if you were infected. Run CWShredder again to confirm all variants of CoolWebSearch have been removed.
[right][snapback]585223912[/snapback][/right]
Hi Toejam,
Maybe it's me, maybe something changed over the last days but, following these instructions it does not work.
I can download and make the scan run (it finds 46 infected files). At that time I need to register and pay for the complete version.
This is freeware you do not have to pay for it, just run the thing!
In fact all you must do is run fix and take it from there!
In fact all you must do is run fix and take it from there!
QUOTE(toejam @ Jan 3 2005, 21:30)
This is freeware you do not have to pay for it, just run the thing!
In fact all you must do is run fix and take it from there!
[right][snapback]585223990[/snapback][/right]
In fact all you must do is run fix and take it from there!
[right][snapback]585223990[/snapback][/right]
I can run the thing, I just can not erase all the infected files.
Did you download the file from the link that I gave you? You end up on majorgeeks website and there it quite clearly says that it is freeware, sorry if this is not the case. I ran the thing and did not run into any registration requests, so I am not really sure what it is asking you! 
QUOTE(toejam @ Jan 3 2005, 21:49)
Did you download the file from the link that I gave you? You end up on majorgeeks website and there it quite clearly says that it is freeware, sorry if this is not the case. I ran the thing and did not run into any registration requests, so I am not really sure what it is asking you!
[right][snapback]585224068[/snapback][/right]
Indeed I did download it from the site you gave me.[right][snapback]585224068[/snapback][/right]
And indeed you do end up here: http://www.majorgeeks.com/download3019.html
If you decide to download you are transferred to this site http://www.pctools.com/spyware-doctor/?ref...al_mg_sd_336_rd . All of a sudden they don't mention Freeware anymore. If you finally perform the scan, they ask you to register.
So far, no sollution found, I may add
Sorry to hear that bud, I will see what I can do!
Just checked the link you said you tried, you are downloading the wrong thing, you must download CWShredder 2.12 click on one of the American sites!
Just checked the link you said you tried, you are downloading the wrong thing, you must download CWShredder 2.12 click on one of the American sites!
Here try this link.From the MVP's freebie section.
I can see what you did, you must wait for the download to start, you did not give it a chance to start, and then you clicked on download Spyware Doctor, no wonder you ended up with the wrong thing! As they say in the classics read the instruction and ye shall be rewarded!!! 
Thanks guys,
CWShredder scanned and worked. At least that problem is solved. There was no infected file from www.coolwebsearch found.
So the next question I have is how it can be possible that CWShredder doesn't find anything while my Homepage on my browser always resets itself on about:blanc (while it was www.google.com) and how it is possible that Adaware finds 19 infected files from www.coolwebsearch.com...
CWShredder scanned and worked. At least that problem is solved. There was no infected file from www.coolwebsearch found.
So the next question I have is how it can be possible that CWShredder doesn't find anything while my Homepage on my browser always resets itself on about:blanc (while it was www.google.com) and how it is possible that Adaware finds 19 infected files from www.coolwebsearch.com...
Try Spywareblaster and Spybot - both free.
Spywareblaster isnt a spyware scanner as such.It integrates with your browser & just prevents activex components from downloading via IE.Doesnt help much when you are already infected.
you might have C2lop
QUOTE(Thomas O'Malley @ Jan 3 2005, 20:58)
Thanks guys,
CWShredder scanned and worked. At least that problem is solved. There was no infected file from www.coolwebsearch found.
So the next question I have is how it can be possible that CWShredder doesn't find anything while my Homepage on my browser always resets itself on about:blanc (while it was www.google.com) and how it is possible that Adaware finds 19 infected files from www.coolwebsearch.com...
[right][snapback]585224557[/snapback][/right]
CWShredder scanned and worked. At least that problem is solved. There was no infected file from www.coolwebsearch found.
So the next question I have is how it can be possible that CWShredder doesn't find anything while my Homepage on my browser always resets itself on about:blanc (while it was www.google.com) and how it is possible that Adaware finds 19 infected files from www.coolwebsearch.com...
[right][snapback]585224557[/snapback][/right]
google a removal tool called "about:buster", or post a Hijackthis Log, CWShredder can't clean all CWS variants.
QUOTE(LastSamurai @ Jan 4 2005, 01:24)
google a removal tool called "about:buster", or post a Hijackthis Log, CWShredder can't clean all CWS variants.
[right][snapback]585227775[/snapback][/right]
[right][snapback]585227775[/snapback][/right]
This is correct. CWShredder can handle most primitive forms of CWS, but there are one or two that are just totally nefarious and cannot be removed by CWShredder. I actually had one of the types that cannot be removed from it on my computer, and at that time, the variant was still fairly new, and boy, I thought I would have to take a jackhammer to my computer before I finally got rid of it.
Post a HijackThis log here (you can attach it if you like). We will tell you where to go from there. HijackThis will catch some deviant DLL files that are associated with CWS.
QUOTE(Hawkeye @ Jan 4 2005, 08:48)
This is correct. CWShredder can handle most primitive forms of CWS, but there are one or two that are just totally nefarious and cannot be removed by CWShredder. I actually had one of the types that cannot be removed from it on my computer, and at that time, the variant was still fairly new, and boy, I thought I would have to take a jackhammer to my computer before I finally got rid of it.
Post a HijackThis log here (you can attach it if you like). We will tell you where to go from there. HijackThis will catch some deviant DLL files that are associated with CWS.
[right][snapback]585227850[/snapback][/right]
Post a HijackThis log here (you can attach it if you like). We will tell you where to go from there. HijackThis will catch some deviant DLL files that are associated with CWS.
[right][snapback]585227850[/snapback][/right]
This is all like chinese to me, but I haven't got anything to loose, do I?
Anyway, I think this is what I think you asked me to do:
QUOTE
Logfile of HijackThis v1.99.0
Scan saved at 17:12:54, on 4/01/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINNT\System32\TCAUDIAG.exe
C:\WINNT\loadqm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\program files\quicktime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\apilv.exe
C:\WINNT\system32\mfchk32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\explorer.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\honmj.dll/sp.html#52409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {ECC139F7-6982-B594-DBFC-75FF0AA44A72} - C:\WINNT\crob32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [mfchk32.exe] C:\WINNT\system32\mfchk32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [MNSIndex] C:\Program Files\ToDelete\MNSIndex.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\ToDelete\Ultimate Pop-up Blocker.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [Each Ref] C:\DOCUME~1\Patje\APPLIC~1\FORVGA~1\enc stop.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [MNShist] C:\Program Files\ToDelete\MNSHist.exe MNSErase
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Sha...t//DexiaIIA.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.t058.com/inst/enter.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/091a39087ff674...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...llInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINNT\system32\apilv.exe
Scan saved at 17:12:54, on 4/01/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINNT\System32\TCAUDIAG.exe
C:\WINNT\loadqm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\program files\quicktime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\apilv.exe
C:\WINNT\system32\mfchk32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\explorer.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\honmj.dll/sp.html#52409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\honmj.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {ECC139F7-6982-B594-DBFC-75FF0AA44A72} - C:\WINNT\crob32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [mfchk32.exe] C:\WINNT\system32\mfchk32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [MNSIndex] C:\Program Files\ToDelete\MNSIndex.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\ToDelete\Ultimate Pop-up Blocker.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [Each Ref] C:\DOCUME~1\Patje\APPLIC~1\FORVGA~1\enc stop.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [MNShist] C:\Program Files\ToDelete\MNSHist.exe MNSErase
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Sha...t//DexiaIIA.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.t058.com/inst/enter.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/091a39087ff674...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...llInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINNT\system32\apilv.exe
If you do find a sollution to my problem, please try to explain it in a language understandable for simple human beings as myself, will yah?
Just a quick question, what version of CWShredder did you download and use?
This from the people who now own and make CWShredder:
CWShredder™ Version 2.1 is the latest defense against the new Cool Web Search variants.
CWShredder™ Version 2.1
Released: December 2004
Here is the link, once you click on the correct link, WAIT FOR THE DOWNLOAD TO START, do NOT click on anything else, the download takes a few moments to start.
CWShredder 2.12
Hope this helps.
Here is a link from the homepage CWShredder
This from the people who now own and make CWShredder:
CWShredder™ Version 2.1 is the latest defense against the new Cool Web Search variants.
CWShredder™ Version 2.1
Released: December 2004
Here is the link, once you click on the correct link, WAIT FOR THE DOWNLOAD TO START, do NOT click on anything else, the download takes a few moments to start.
CWShredder 2.12
Hope this helps.
Here is a link from the homepage CWShredder
QUOTE(toejam @ Jan 4 2005, 19:39)
Just a quick question, what version of CWShredder did you download and use?
This from the people who now own and make CWShredder:
CWShredder™ Version 2.1 is the latest defense against the new Cool Web Search variants.
CWShredder™ Version 2.1
Released: December 2004
Here is the link, once you click on the correct link, WAIT FOR THE DOWNLOAD TO START, do NOT click on anything else, the download takes a few moments to start.
CWShredder 2.12
Hope this helps.
Here is a link from the homepage CWShredder
[right][snapback]585230296[/snapback][/right]
This from the people who now own and make CWShredder:
CWShredder™ Version 2.1 is the latest defense against the new Cool Web Search variants.
CWShredder™ Version 2.1
Released: December 2004
Here is the link, once you click on the correct link, WAIT FOR THE DOWNLOAD TO START, do NOT click on anything else, the download takes a few moments to start.
CWShredder 2.12
Hope this helps.
Here is a link from the homepage CWShredder
[right][snapback]585230296[/snapback][/right]
That's the one I downloaded and tries toejam.
But there is a positive progress, meaning: I tried Spy Sweeper and that seems to work... At least, my home page is reset to http://www.google.com .
But I did not reboot so far, so let's just hope for the best. CWS isn't removed, Adaware still finds files from that stupid www.coolwebsearch.org thing.
The Norio Trojan is definitly removed, that's for sure. So the only problem remaining is CWS.
This is really irritating I can just see how mad you must be. I am really going to see if I can help, come hell or high water we must get rid of this thing. I tell you these people who make **** like this should be hung drawn and quartered, jeez they **** me off!!
QUOTE(toejam @ Jan 4 2005, 20:33)
This is really irritating I can just see how mad you must be. I am really going to see if I can help, come hell or high water we must get rid of this thing. I tell you these people who make **** like this should be hung drawn and quartered, jeez they **** me off!!
[right][snapback]585230561[/snapback][/right]
[right][snapback]585230561[/snapback][/right]
Even Spy Sweeper can't get rid of it...
It keeps on finding 2 'things', saying AdAware found: CWS_NS3 (CWS_NS3 has the ability to hijack your Web searches, home page, and Internet Explorer settings.) I can delete them through Spy Sweeper, but if I run it again, these two items are there again...
I blocked my homepage now on the default homepage, as Spy Sweeper recommended when you have a good idea you were hyjacked, which is: http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome So there goed my http://www.google.com as my used to be homepage...
Anyway, when this scan is finished I'm going to reboot the system once more to see if that changes anything.
One more thing that I forgot to say is that your system restore must be switched off when you clean as this will not allow any of the "cleaned files" to get back on the system.
sorry i ahevto make this big coz its probably the best cool www search tool ever
COOLWEBSEARCH SHREDDER
COOLWEBSEARCH SHREDDER
Is it the same person making the CWs variants? Why hasn't this jerk been offed yet?
QUOTE(neomilan @ Jan 4 2005, 21:31)
sorry i ahevto make this big coz its probably the best cool www search tool ever
COOLWEBSEARCH SHREDDER
[right][snapback]585230860[/snapback][/right]
COOLWEBSEARCH SHREDDER
[right][snapback]585230860[/snapback][/right]
Sorry this site just has all the things that have been tried so far??
Yes indeed, and nothing seems to work.
Even Spy Sweeper is failing and letting me down
Even Spy Sweeper is failing and letting me down
are there any running processes that might be replacing these files after they are being deleted?
QUOTE(M2Ys4U @ Jan 4 2005, 22:40)
are there any running processes that might be replacing these files after they are being deleted?
[right][snapback]585231223[/snapback][/right]
[right][snapback]585231223[/snapback][/right]
Nothing is running, nothing at all... I don't understand a thing of it.
Sometimes it's best to just throw in the towel and format.
I know thats the simple answer, but it is effective. Once you have formatted, install
spyware blaster etc, and hopefully it won't happen again.
I know thats the simple answer, but it is effective. Once you have formatted, install
spyware blaster etc, and hopefully it won't happen again.
QUOTE(keratosis @ Jan 4 2005, 23:22)
Sometimes it's best to just throw in the towel and format.
I know thats the simple answer, but it is effective. Once you have formatted, install
spyware blaster etc, and hopefully it won't happen again.
[right][snapback]585231489[/snapback][/right]
I know thats the simple answer, but it is effective. Once you have formatted, install
spyware blaster etc, and hopefully it won't happen again.
[right][snapback]585231489[/snapback][/right]
And loose all the music files on my computer? No way.
QUOTE(Thomas O'Malley @ Jan 4 2005, 14:32)
And loose all the music files on my computer? No way.
[right][snapback]585231539[/snapback][/right]
[right][snapback]585231539[/snapback][/right]
You back it up with a portable hard drive disc like my zen micro or ipod OR laptops and format.
Ok here goes another effort, lets see if this works:
This is CoolWebSearch.qttasks manual removal:
Delete registry values:
Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
Delete the value 'QuickTime Task'
Delete files:
qttasks.exe
Automatic removal:
Link
This is CoolWebSearch.qttasks manual removal:
Delete registry values:
Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
Delete the value 'QuickTime Task'
Delete files:
qttasks.exe
Automatic removal:
Link
I want to thank everybody who gave me hints and tips concerning this problem. At this moment everything seems under control en the CWS-'things' seems disappeared for the last 4 hours or so. Even after rebooting the system. The only thing I did was scan the disks over and over again with Spy Sweeper. After the fifteenth scan it seems gone. Let's hope it stays this way, also when I start the computer back up in the morning. A very good night to all from Belgium, Europe, and best to all of you.
In case the problem remains you'll see this topic back on top of the list.
Time for a yell: Yiiiiiiiiiiiiiihaaaaaaaaaaaa
In case the problem remains you'll see this topic back on top of the list.
Time for a yell: Yiiiiiiiiiiiiiihaaaaaaaaaaaa
QUOTE(Thomas O'Malley @ Jan 4 2005, 18:17)
I want to thank everybody who gave me hints and tips concerning this problem. At this moment everything seems under control en the CWS-'things' seems disappeared for the last 4 hours or so. Even after rebooting the system. The only thing I did was scan the disks over and over again with Spy Sweeper. After the fifteenth scan it seems gone. Let's hope it stays this way, also when I start the computer back up in the morning. A very good night to all from Belgium, Europe, and best to all of you.
In case the problem remains you'll see this topic back on top of the list.
Time for a yell: Yiiiiiiiiiiiiiihaaaaaaaaaaaa
[right][snapback]585232209[/snapback][/right]
In case the problem remains you'll see this topic back on top of the list.
Time for a yell: Yiiiiiiiiiiiiiihaaaaaaaaaaaa
[right][snapback]585232209[/snapback][/right]
YAY!!
Party Party! 
Let's hope it stays gone.
How come that such "tools" are legal ( or not ? ), blocking sites and programs without approving this is illegal as it allmost takes control of your pc and I also don't understand that after all the things we hear in the news and websites about the fight for spam by microsoft, ISP's, government, ... that that thing is still up ???
Please enlighten me
Please enlighten me
they can't catch them
QUOTE(NeoTech @ Jan 5 2005, 01:44)
YAY!! Party Party! Let's hope it stays gone.
[right][snapback]585232394[/snapback][/right]
Party Party! Let's hope it stays gone.[right][snapback]585232394[/snapback][/right]
It's back
dude, you see those R1 entries and the last 023 entry called "Remote Procedure Call (RPC) Helper" in your Hijackthis Log? those are the bad ones causing the problem. like I said before, get a software called "About:Buster", search google for "home search assistant removal", follow the instructions to remove the malware.
OoOoO...when it come out tomorrow, try Microsoft AntiSpyware, or just try GIANT Antispyware the best remover, from GiantSoftware.com - put it this way, Microsoft have bought that product so it's gotta be pretty good
Sorry to hear man!!
QUOTE(LastSamurai @ Jan 5 2005, 21:43)
dude, you see those R1 entries and the last 023 entry called "Remote Procedure Call (RPC) Helper" in your Hijackthis Log? those are the bad ones causing the problem. like I said before, get a software called "About:Buster", search google for "home search assistant removal", follow the instructions to remove the malware.
[right][snapback]585237571[/snapback][/right]
[right][snapback]585237571[/snapback][/right]
I installed all these downloads and made them run. http://www.bleepingcomputer.com/forums/tutorial85.html
I also downloaded a file called aboutbuster like you recommended.
Still the problem remains.
here is a better removal guide:
http://www.short-media.com/review.php?r=259&p=2
if you're not sure which files and hijackthis entries are bad ones, please post a new log cuz malware files' names might change after you reboot system.
http://www.short-media.com/review.php?r=259&p=2
if you're not sure which files and hijackthis entries are bad ones, please post a new log cuz malware files' names might change after you reboot system.
Awright Guysss...
The SpyWare
is here.....
I hate this f***** spywares.....I was looked down upon by my room-mates when I got infected
So...here it goes...
Download, save to desktop, but do not run yet:
WinSock
and
HosterHoster
Also Download -- Killbox
Since you already have HijackThis....Try doing the following.....
Go to C Drive....and do the following....
select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
Then run this application...FindIT
Unzip the contents of the new finditnt2000xp.zip to a convenient location. Must be unzipped. It will not work properly if run from within the zip.
1. Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
2. A command prompt will open and it will search your computer for malicious files.
3. Once it has finished a Notepad window will pop up with output.txt.
Please try to avoid rebooting or swirtching users until instructed to do so. Existing file names change and new ones are created each time.
Dont thank me ....not my work
-Siddhs
The SpyWare
is here.....I hate this f***** spywares.....I was looked down upon by my room-mates when I got infected
So...here it goes...
Download, save to desktop, but do not run yet:
WinSock
and
HosterHoster
Also Download -- Killbox
Since you already have HijackThis....Try doing the following.....
Go to C Drive....and do the following....
select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
Then run this application...FindIT
Unzip the contents of the new finditnt2000xp.zip to a convenient location. Must be unzipped. It will not work properly if run from within the zip.
1. Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
2. A command prompt will open and it will search your computer for malicious files.
3. Once it has finished a Notepad window will pop up with output.txt.
Please try to avoid rebooting or swirtching users until instructed to do so. Existing file names change and new ones are created each time.
Dont thank me ....not my work
-Siddhs
QUOTE(LastSamurai @ Jan 6 2005, 04:53)
here is a better removal guide:
http://www.short-media.com/review.php?r=259&p=2
if you're not sure which files and hijackthis entries are bad ones, please post a new log cuz malware files' names might change after you reboot system.
[right][snapback]585240290[/snapback][/right]
http://www.short-media.com/review.php?r=259&p=2
if you're not sure which files and hijackthis entries are bad ones, please post a new log cuz malware files' names might change after you reboot system.
[right][snapback]585240290[/snapback][/right]
Thx dude, I'll let you know if this works. I can't do it all in one day. Pc goes off now, and I'll try it in a couple of days.
If this doesn't work I'll try siddhs' way.
See you in a few days, hopefully with good news
These are the CooWebSearch varieties, a $hit load of them as you can see!
Go here and all the manual instructions are available, but you must ID the variant!
Secure Most
CoolWebSearch
CoolWebSearch.Alfasearch
CoolWebSearch.control
CoolWebSearch.cpan
CoolWebSearch.ctrlpan
CoolWebSearch.DNSE
CoolWebSearch.DNSErr
CoolWebSearch.ehttp
CoolWebSearch.excel10
CoolWebSearch.explorer32
CoolWebSearch.iefeatsl
CoolWebSearch.iefeatslupdate
CoolWebSearch.image
CoolWebSearch.keymgrldr
CoolWebSearch.ld
CoolWebSearch.madfinder
CoolWebSearch.mssearch
CoolWebSearch.mstaskm
CoolWebSearch.msupdate
CoolWebSearch.msupdater
CoolWebSearch.mtwirl32
CoolWebSearch.notepad32
CoolWebSearch.olehelp
CoolWebSearch.qttasks
CoolWebSearch.quicken
CoolWebSearch.soundmx
CoolWebSearch.sys
CoolWebSearch.time
CoolWebSearch.winproc32
CoolWebSearch.xplugin
CoolWebSearch.xpsystem
1. Remove coolwebsearch: DataNotary, BootConf and MSInfo variants
Turn off user-style sheet option at Tools->Internet Options->Accessibility in your Internet Explorer.
You should now be able to delete the user stylesheet from the Windows folder. With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp'; with Bootconf it may be either.
2. Remove coolwebsearch: MSInfo variant Delete the line “run=C:WINDOWS..PROGRA~1COMMON~1MICROS~1MSINFOmsinfo.exe” from win.ini file in your Windows folder. This line may be changed a little on different systems, but will always point to msinfo.exe.
Delete the “c:ProgramFilesCommon FilesMSInfo' folder.
3. Remove coolwebsearch: BootConf, SvcHost variants Open the registry and find the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the bootconf.exe or svchost.exe entry
You can then delete the bootconf.exe or svchost32.exe file from the System folder (called 'System32' on Windows NT/2000/XP).
4. Remove coolwebsearch: BootConf, SvcHost, MSInfo variants Find the file ‘HOSTS’ with no extension in the driversetc folders in your System folder
Either edit it to remove the hijacker entries, or simply delete the file.
5. Remove coolwebsearch: PnP variant
Find the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the SysPnP entry
Also delete the oemsysinf.pnp file from the 'inf' folder inside your Windows folder.
6. Remove coolwebsearch: MSSPI variant This is very tricky to remove by hand as this can result in loosing your internet connection. It is advised that you do not do this by hand. Open the registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinSock2 ParametersProtocol_Catalog9Catalog_Entries Delete the subkeys starting with the path of msspi.dll Renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left. Open the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the a msupdate entry if it is there
Restart the computer and you should be to delete msspi.dll in the System folder (called 'System32' on Windows NT/2000/XP), along with msupdate.exe if it is present.
7. Remove coolwebsearch: DNSRelay variant Open a DOS command prompt window and enter the following commands: cd "%WinDir%System" regsvr32 /u dnsrelay.dll Restart
You should be able to delete the file 'dnsrelay.dll' in the System folder (called 'System32' on Windows NT/2000/XP).
After you have removed any variants of CoolWebSearch which you have there is one last thing which you need to do to complete the removal process. Go to Internet Options->Programs->Reset Web Settings in your Internet Explorer to remove the hijacked home page and search settings.
Go here and all the manual instructions are available, but you must ID the variant!
Secure Most
CoolWebSearch
CoolWebSearch.Alfasearch
CoolWebSearch.control
CoolWebSearch.cpan
CoolWebSearch.ctrlpan
CoolWebSearch.DNSE
CoolWebSearch.DNSErr
CoolWebSearch.ehttp
CoolWebSearch.excel10
CoolWebSearch.explorer32
CoolWebSearch.iefeatsl
CoolWebSearch.iefeatslupdate
CoolWebSearch.image
CoolWebSearch.keymgrldr
CoolWebSearch.ld
CoolWebSearch.madfinder
CoolWebSearch.mssearch
CoolWebSearch.mstaskm
CoolWebSearch.msupdate
CoolWebSearch.msupdater
CoolWebSearch.mtwirl32
CoolWebSearch.notepad32
CoolWebSearch.olehelp
CoolWebSearch.qttasks
CoolWebSearch.quicken
CoolWebSearch.soundmx
CoolWebSearch.sys
CoolWebSearch.time
CoolWebSearch.winproc32
CoolWebSearch.xplugin
CoolWebSearch.xpsystem
1. Remove coolwebsearch: DataNotary, BootConf and MSInfo variants
Turn off user-style sheet option at Tools->Internet Options->Accessibility in your Internet Explorer.
You should now be able to delete the user stylesheet from the Windows folder. With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp'; with Bootconf it may be either.
2. Remove coolwebsearch: MSInfo variant Delete the line “run=C:WINDOWS..PROGRA~1COMMON~1MICROS~1MSINFOmsinfo.exe” from win.ini file in your Windows folder. This line may be changed a little on different systems, but will always point to msinfo.exe.
Delete the “c:ProgramFilesCommon FilesMSInfo' folder.
3. Remove coolwebsearch: BootConf, SvcHost variants Open the registry and find the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the bootconf.exe or svchost.exe entry
You can then delete the bootconf.exe or svchost32.exe file from the System folder (called 'System32' on Windows NT/2000/XP).
4. Remove coolwebsearch: BootConf, SvcHost, MSInfo variants Find the file ‘HOSTS’ with no extension in the driversetc folders in your System folder
Either edit it to remove the hijacker entries, or simply delete the file.
5. Remove coolwebsearch: PnP variant
Find the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the SysPnP entry
Also delete the oemsysinf.pnp file from the 'inf' folder inside your Windows folder.
6. Remove coolwebsearch: MSSPI variant This is very tricky to remove by hand as this can result in loosing your internet connection. It is advised that you do not do this by hand. Open the registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinSock2 ParametersProtocol_Catalog9Catalog_Entries Delete the subkeys starting with the path of msspi.dll Renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left. Open the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the a msupdate entry if it is there
Restart the computer and you should be to delete msspi.dll in the System folder (called 'System32' on Windows NT/2000/XP), along with msupdate.exe if it is present.
7. Remove coolwebsearch: DNSRelay variant Open a DOS command prompt window and enter the following commands: cd "%WinDir%System" regsvr32 /u dnsrelay.dll Restart
You should be able to delete the file 'dnsrelay.dll' in the System folder (called 'System32' on Windows NT/2000/XP).
After you have removed any variants of CoolWebSearch which you have there is one last thing which you need to do to complete the removal process. Go to Internet Options->Programs->Reset Web Settings in your Internet Explorer to remove the hijacked home page and search settings.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.