The cat came back the very next day...
The cat came back...
he thought it was a goner, but...

(repeat)
or
(repeat while banging head against a wall)

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

--
Dave




"newbietuesday" > wrote in message
lkaboutsoftware.com...
| The cat came back the very next day...
| The cat came back...
| he thought it was a goner, but...
|
| (repeat)
| or
| (repeat while banging head against a wall)
|
|
|

Yeah, I have dial-up... (earthlink to be precise)

I don't believe (???) that earthlink supports newsgroups. It's um...
pretty cheeseball!

I could be wrong.

At any rate, I have since tried to sign up for google groups, but I can't
get to my confirmation e-mails as that just sends my browser back to
about:blank. I can read the e-mails, but I can't hit the link in time.

Actually, I even had to disable my firewall to allow google groups to
allow me sign up.

I do realize that this is not the best forum to find advice on virus
fixes, but this seems to be one of the only places on the web which
doesn't re-direct my browser to about:blank.

I'm guessing that it's because this page has no active script and that's
what seems to trigger the re-direct.

Hence, I am here.

The newsgroups I've been able to read through between shut-downs haven't
yielded anything useful as of yet, but I can't post, so I'm slugging
through a lot of threads.

I've still got my health, and a reasonable ammount of beer, and I even
have the day off work tommorrow, so hey! it's okay... :)

newbietuesday wrote:
> The cat came back the very next day...
> The cat came back...
> he thought it was a goner, but...
>
> (repeat)
> or
> (repeat while banging head against a wall)

When in doubt, so long as you can identify
its EXE or any essential DLL, delete in DOS.
You will no doubt get error messages (file
not found) but deleting the EXE usually prevents
the malware from replicating itself.

It appears you have the CoolWebSearch about:blank or a variant.

**It is very important to run the update for each program before running to
be sure you have the latest definitions.** Run the programs in Safe Mode
after assuring you have shut down all running tasks except explorer or
systray and all apps are fully up to date.
Download/run Cool Web Shredder from:
http://www.intermute.com/products/cwshredder.html

For Info on Cool Web Search variants:
http://www.richardthelionhearted.com/~merijn/cwschronicles.html

Then download/install/run Ad-Aware SE to detect/rid of any other
parasites/spyware that may be installed. It can be obtained free from:
http://www.lavasoftusa.com/
After installing Ad-Aware, open it and click on the ref update to get the
latest up-to-date ref file, then run Ad-Aware and delete everything it
finds.

And/or download/install/run:
Spybot - Search & Destroy:
http://security.kolla.de/index.php?lang=en&page=download
Run it at it's default settings until you learn an know more about it.
Spybot S&D is more of an advanced users tool and changing from the default
settings can be dangerous to the novice user. Items found in the default
settings that are RED can usually be safely removed. If you are unsure of a
found item, do not remove it and ask for help.

If you still have problems, download/run HijackThis from:
http://www.richardthelionhearted.com/~merijn/downloads.html
http://majorgeeks.com/downloads31.html

Copy HJT to it's own folder, this is where the log files will be saved. Run
HJT in Normal Mode.
Do not remove anything with it until you get advice on what to remove,
HJThis will list many apps that are needed along with the bad ones. Removing
items listed hap-hazardly without knowing what they are can/will create a
royal mess. Read the quick start here on how to create a log file that can
be copied/pasted into a forum that can provide assistance on removal of
unwanted pests.
http://mjc1.com/mirror/hjt/#quick

Then post the logs to an appropriate forum where they specialize in
spyware/hijacker removal. Please read any sticky notes for proper posting
which are most commonly posted first at the top in each specific forum. Read
any information under each forum category name for information on what that
particular one is used for, look for the proper one that you post logs to.
http://forums.spywareinfo.com/

http://forum.aumha.org/

After running the above and assuring you have a clean machine:
It's also a good idea to have a HOSTS file to block bad sites, scroll to
HOSTS File Manager here:
http://www.mvps.org/PracticallyNerded/Software.htm

Another good app is SpywareBlaster which stops the badboys before they even
get a chance to install:
http://www.javacoolsoftware.com/spywareblaster.html

--

Brian A.

Conflicts start where information lacks.
http://www.dts-l.org/goodpost.htm


"newbietuesday" > wrote in message
lkaboutsoftware.com...
> Yeah, I have dial-up... (earthlink to be precise)
>
> I don't believe (???) that earthlink supports newsgroups. It's um...
> pretty cheeseball!
>
> I could be wrong.
>
> At any rate, I have since tried to sign up for google groups, but I can't
> get to my confirmation e-mails as that just sends my browser back to
> about:blank. I can read the e-mails, but I can't hit the link in time.
>
> Actually, I even had to disable my firewall to allow google groups to
> allow me sign up.
>
> I do realize that this is not the best forum to find advice on virus
> fixes, but this seems to be one of the only places on the web which
> doesn't re-direct my browser to about:blank.
>
> I'm guessing that it's because this page has no active script and that's
> what seems to trigger the re-direct.
>
> Hence, I am here.
>
> The newsgroups I've been able to read through between shut-downs haven't
> yielded anything useful as of yet, but I can't post, so I'm slugging
> through a lot of threads.
>
> I've still got my health, and a reasonable ammount of beer, and I even
> have the day off work tommorrow, so hey! it's okay... :)
>
>
>
>
>
>

"newbietuesday" > wrote in message
lkaboutsoftware.com...
> Yeah, I have dial-up... (earthlink to be precise)
>
> I don't believe (???) that earthlink supports newsgroups. It's um...
> pretty cheeseball!
>
> I could be wrong.

You are.....Earthlink has a news server that includes Microsoft newsgroups.
Besides, you don't have to use the Earthlink news server anyway....set up an account
in Outlook Express for msnews.microsoft.com, then go to the groups linked in David's
post.

How to set up OE as a newsreader for msnews:
http://www.rickrogers.org/setupoe.htm

http://www.michaelstevenstech.com/outlookexpressnewreader.htm

http://insideoe.tomsterdam.com/resources/communities.htm#setupmsnews
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm

"glee" > wrote in message ...
> "newbietuesday" > wrote in message
> lkaboutsoftware.com...
>> Yeah, I have dial-up... (earthlink to be precise)
>>
>> I don't believe (???) that earthlink supports newsgroups. It's um...
>> pretty cheeseball!
>>
>> I could be wrong.
>
> You are.....Earthlink has a news server that includes Microsoft newsgroups.

I haven't accessed the earthlink news servers in years. It was so buggy
that one of the busiest groups on the server was the group devoted to
news.earthlink. Hopefully they've fixed it by now. I just went there and
found this one message (below) available, showing the new configs.
(note that you are required to use your email address to >logon only<, not
necessarily as a return address in posts, which should be munged.)

I just accessed news.east.earthlink.net.. hey!..it works.. ;-)



<quote>
Dear EarthLink Newsgroup User,

We are pleased to announce an upgrade to our Usenet service, effective
immediately.

Our new service includes increased speeds, improved reliability,
longer article retention, more newsgroups, and more. To take advantage
of our new service, you will need to make the following 2 changes:

1) Change your newsgroup server name to either:

news.west.earthlink.net or news.east.earthlink.net.

For more information, including help making this change, please visit:
http://www.earthlink.net/newspolicy

2) Once you've updated your server name, please use your full
EarthLink email address and
password whenever you log into Usenet. Remember, your password is case
sensitive, so make sure your CAPS LOCK button is off.

As part of this upgrade, we are changing our Usenet access policies to
better serve all of our users. Members will be permitted to download a
maximum of 1500MB (1.5GB) over a rolling 30-day period. Users who
exceed this quota will have a reduced download speed of 64Kbps until
the account again falls below the quota. Please note that dial-up
subscribers will not be affected by this change.

For more information about our Newsgroup service, please visit:
http://www.earthlink.net/newsfacts

NEED HELP?

LIVE CHAT: Trade real-time online messages with a Live Chat
representative who can provide all of the same support that our
award-winning phone representatives provide:
http://support.earthlink.net/chat

EMAIL SUPPORT: You always have the option of sending us a message and
getting a response that day!
http://support.earthlink.net/email

(Using these forms will ensure that your message is routed to someone
who can help you.)

We hope you enjoy using EarthLink's new and improved Usenet service.

Sincerely,

EarthLink Customer Support

"Bill Blanton" > wrote in message
...
> "glee" > wrote in message
...
> > "newbietuesday" > wrote in message
> > lkaboutsoftware.com...
> >> Yeah, I have dial-up... (earthlink to be precise)
> >>
> >> I don't believe (???) that earthlink supports newsgroups. It's um...
> >> pretty cheeseball!
> >>
> >> I could be wrong.
> >
> > You are.....Earthlink has a news server that includes Microsoft newsgroups.
>
> I haven't accessed the earthlink news servers in years. It was so buggy
> that one of the busiest groups on the server was the group devoted to
> news.earthlink. Hopefully they've fixed it by now. I just went there and
> found this one message (below) available, showing the new configs.
> (note that you are required to use your email address to >logon only<, not
> necessarily as a return address in posts, which should be munged.)
>
> I just accessed news.east.earthlink.net.. hey!..it works.. ;-)

The "new" configs have been in effect for at least a couple of years, IIRC. I
started out on Mindspring, well before they merged with Earthlink, and by the time
they merged news servers I was off them completely and just posting on the MS
server. When I went back to the non-MS groups for a while, the EarthLink servers
were straightened out already. There was a long period after the merger when
*everything* was screwed up, and I was very sorry that the merger took place. (I
still am, actually).
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


>
>
>
> <quote>
> Dear EarthLink Newsgroup User,
>
> We are pleased to announce an upgrade to our Usenet service, effective
> immediately.
>
> Our new service includes increased speeds, improved reliability,
> longer article retention, more newsgroups, and more. To take advantage
> of our new service, you will need to make the following 2 changes:
>
> 1) Change your newsgroup server name to either:
>
> news.west.earthlink.net or news.east.earthlink.net.
>
> For more information, including help making this change, please visit:
> http://www.earthlink.net/newspolicy
>
> 2) Once you've updated your server name, please use your full
> EarthLink email address and
> password whenever you log into Usenet. Remember, your password is case
> sensitive, so make sure your CAPS LOCK button is off.
>
> As part of this upgrade, we are changing our Usenet access policies to
> better serve all of our users. Members will be permitted to download a
> maximum of 1500MB (1.5GB) over a rolling 30-day period. Users who
> exceed this quota will have a reduced download speed of 64Kbps until
> the account again falls below the quota. Please note that dial-up
> subscribers will not be affected by this change.
>
> For more information about our Newsgroup service, please visit:
> http://www.earthlink.net/newsfacts
>
> NEED HELP?
>
> LIVE CHAT: Trade real-time online messages with a Live Chat
> representative who can provide all of the same support that our
> award-winning phone representatives provide:
> http://support.earthlink.net/chat
>
> EMAIL SUPPORT: You always have the option of sending us a message and
> getting a response that day!
> http://support.earthlink.net/email
>
> (Using these forms will ensure that your message is routed to someone
> who can help you.)
>
> We hope you enjoy using EarthLink's new and improved Usenet service.
>
> Sincerely,
>
> EarthLink Customer Support
>
>

Not true. If the .dll is registered then it must be "unregistered" through
DOS before replication can be halted. Even then a good (bad) programmer can
cause the .dll to shadow itself in memory. You can delete all the .exes you
want to but if the .dll is still registered it will come back. Anyway, you
can't delete the .dll until it is unregistered. I suggest you travel to:
http://www.doxdesk.com/ , and once there go to Parasites/Database. You will
find CoolWebSearch in their database. As soon as you get to the Parasites
page a script will automatically run and detect any Malware you have and
then give you a detailed manual removal set of instructions. If you are lazy
then don't waste your time...just format and be done with it. However, you
will find the help you need at this site. Be prepared to work for a while.
GL!

HTH,
DTV
"Don Phillipson" > wrote in message
...
newbietuesday wrote:
> The cat came back the very next day...
> The cat came back...
> he thought it was a goner, but...
>
> (repeat)
> or
> (repeat while banging head against a wall)

When in doubt, so long as you can identify
its EXE or any essential DLL, delete in DOS.
You will no doubt get error messages (file
not found) but deleting the EXE usually prevents
the malware from replicating itself.

"glee" > wrote in message ...
> "Bill Blanton" > wrote in message
> ...

>> I haven't accessed the earthlink news servers in years. It was so buggy
>> that one of the busiest groups on the server was the group devoted to
>> news.earthlink. Hopefully they've fixed it by now. I just went there and
>> found this one message (below) available, showing the new configs.
>> (note that you are required to use your email address to >logon only<, not
>> necessarily as a return address in posts, which should be munged.)

> The "new" configs have been in effect for at least a couple of years, IIRC. I
> started out on Mindspring, well before they merged with Earthlink, and by the time
> they merged news servers I was off them completely and just posting on the MS
> server. When I went back to the non-MS groups for a while, the EarthLink servers
> were straightened out already. There was a long period after the merger when
> *everything* was screwed up, and I was very sorry that the merger took place. (I
> still am, actually).

Yeah, that was about the same time they gobbled up Verio, which had previously
bought out my local ISP/BBS "magicnet". I found earthlink's usenet service so slow
and buggy that I found a free service to use instead.

They let you keep the mindspring address?
They didn't for verio.net, though my original magicnet addy still works.
Somewhere buried deep in the earthlink server is the magicnet.net domain.
They probably don't even know it's there.. I know it doesn't show up in
the earthlink "my account" (or whatever its called) page.

"Satellite Man" > wrote in message


[...]

> it will come back. Anyway, you can't delete the .dll until it is
unregistered.

[...]

A tidbit is that actually after you delete the exe files of these search
engine pests then yes you can just delete the .dll in dos or wherever
convenient just so long as it's not in windows, but once it's gone then it's
memory shadow will also cease to exist to rewrite it's registry entries
again; but if one doesn't know to do all that then get the programs you
mentioned to do it for you. ..twas just a tidbit I wanted to mention though
because it can be done ..anything can :)

Rick

"Bill Blanton" > wrote in message
...
>
> "glee" > wrote in message
...
> > "Bill Blanton" > wrote in message
> > ...
>
> >> I haven't accessed the earthlink news servers in years. It was so buggy
> >> that one of the busiest groups on the server was the group devoted to
> >> news.earthlink. Hopefully they've fixed it by now. I just went there and
> >> found this one message (below) available, showing the new configs.
> >> (note that you are required to use your email address to >logon only<, not
> >> necessarily as a return address in posts, which should be munged.)
>
> > The "new" configs have been in effect for at least a couple of years, IIRC. I
> > started out on Mindspring, well before they merged with Earthlink, and by the
time
> > they merged news servers I was off them completely and just posting on the MS
> > server. When I went back to the non-MS groups for a while, the EarthLink
servers
> > were straightened out already. There was a long period after the merger when
> > *everything* was screwed up, and I was very sorry that the merger took place.
(I
> > still am, actually).
>
> Yeah, that was about the same time they gobbled up Verio, which had previously
> bought out my local ISP/BBS "magicnet". I found earthlink's usenet service so slow
> and buggy that I found a free service to use instead.
>
> They let you keep the mindspring address?
> They didn't for verio.net, though my original magicnet addy still works.
> Somewhere buried deep in the earthlink server is the magicnet.net domain.
> They probably don't even know it's there.. I know it doesn't show up in
> the earthlink "my account" (or whatever its called) page.

Yes, the Mindspring addresses are still in force. That's because Earthlink did not
gobble up Mindspring....they actually merged and decided to use the Earthlink name
because they thought it was better-known. Mindsring had already gobbled up its
share of smaller ISPs prior to the merger. It was supposed to be A 50-50
partnership, or whatever, with executives from both companies. Unfortunately, the
Earthlink influences eventually predominated....Mindspring was a lot better before
the merger, IMHO.

....glen

Hey! Thanks everyone for posting these valuable comments and ideas.

I took a day off from messing with this thing to spend some time with my
girlfriend. I backed up all my relevant data too, so I can perform the
standard windows(re-install often)operating procedure now...

Now... fixing the thing is just a matter of pride.

BTW, Don't crap on Earthlink too much. When I had to abandon my DSL, I
hadn't had dial-up for years, and I tried NetZero ...Now that's an ISP
with problems! As bad as Earthlink might be, they are certainly better
than NetZero.

Oddly, Earthlink sent out a fresh e-mail today with some info about their
new update service and the dangers of trojan horses and all that. I was
able to download the app "SpyAudit" that finds the little beasts. It
found 1 Trojan and 3 Adwares which it labels with the dread epitath of
"Research in Progress."

I assume this is a way of them saying that they are busy working on nice,
convienient patches for these web monkeys.

I'm also thinking that the fact that they send this e-mail out is not a
coincidence.

I have not found the .exe file responsible for this variant of illness
yet. I've done all the puttering with Spybot S&D, Regedit, and DOS that I
can think of.

I'm thinking that since all my signiture files and such are up to date
that this is relatively new junk.

I'm going to bed, but if I find more info on this beast I shall post it
for the entertainment of everyone who hath lent a kind ear.

Thanks,
-NT

First off I see no mention of you running CoolWebShredder which was created
to deal strictly with CoolWebSearch parasites, one of which is about:blank.

Secondly I do not see any mention of Ad-Aware. Ad-Aware and Spybot S&D
compliment each other by finding parasites that the other can't.

Thirdly the .exe may be hidden, or worse super hidden. You need to have your
folder options set to show all files and all extensions for any chance to
possibly it.

Fourth I suggest once again getting, running and posting a log of HijackThis
to an appropriate forum where they specialize in removal.

--

Brian A.

Conflicts start where information lacks.
http://www.dts-l.org/goodpost.htm


"newbietuesday" > wrote in message
lkaboutsoftware.com...
> Hey! Thanks everyone for posting these valuable comments and ideas.
>
> I took a day off from messing with this thing to spend some time with my
> girlfriend. I backed up all my relevant data too, so I can perform the
> standard windows(re-install often)operating procedure now...
>
> Now... fixing the thing is just a matter of pride.
>
> BTW, Don't crap on Earthlink too much. When I had to abandon my DSL, I
> hadn't had dial-up for years, and I tried NetZero ...Now that's an ISP
> with problems! As bad as Earthlink might be, they are certainly better
> than NetZero.
>
> Oddly, Earthlink sent out a fresh e-mail today with some info about their
> new update service and the dangers of trojan horses and all that. I was
> able to download the app "SpyAudit" that finds the little beasts. It
> found 1 Trojan and 3 Adwares which it labels with the dread epitath of
> "Research in Progress."
>
> I assume this is a way of them saying that they are busy working on nice,
> convienient patches for these web monkeys.
>
> I'm also thinking that the fact that they send this e-mail out is not a
> coincidence.
>
> I have not found the .exe file responsible for this variant of illness
> yet. I've done all the puttering with Spybot S&D, Regedit, and DOS that I
> can think of.
>
> I'm thinking that since all my signiture files and such are up to date
> that this is relatively new junk.
>
> I'm going to bed, but if I find more info on this beast I shall post it
> for the entertainment of everyone who hath lent a kind ear.
>
> Thanks,
> -NT
>
>