I have this trojan that continually turns my home page to
about blank which points to a garbage search page. I also
get pop-ups telling me my computer has spyware and I need
to download softwre to fix it. (This is referred to as
extortion where I come from). This installs application
or application extension fills that keep reinstalling
themselves after you run popular spyware programs. The
fix associated with this tells you to gor into the
registry. However, In my computer, some of these folders
don't exist. I am thinking that it is becasue I run ME
and it is configured somewhat different. Has anyone had
this problem and how did you fix it running ME?

You've been hijacked, quite possibly by a variant of the CoolWebSearch
parasite. Probably by the CWS.Aboutblank variant
(http://www.spywareinfo.com/~merijn/cwschronicles.html#aboutblank)

Download and run CWShredder
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip) which is the best way
of getting rid of the many forms of the CoolWebSearch hijacker details of
which can be found at http://www.spywareinfo.com/~merijn/cwschronicles.html
and also http://www.pestpatrol.com/pestinfo/c/cws.asp..

This would be a good time to download yourself a copy of the free Ad-Aware 6.0
from Lavasoft (http://www.lavasoftusa.com/software/adaware/) and also SpyBot
Search & Destroy (http://www.safer-networking.org/) and use them to check your
system for other commercial parasites remembering that they are only as good
as when you last updated their reference files. I also use a program called
BHODemon (http://www.definitivesolutions.com/bhodemon.htm that checks for
unwanted Browser Help Objects and SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html) which can help prevent
many parasites getting a grip on your PC.
--
Mike Maltby MS-MVP



MomboMan > wrote:

> I have this trojan that continually turns my home page to
> about blank which points to a garbage search page. I also
> get pop-ups telling me my computer has spyware and I need
> to download softwre to fix it. (This is referred to as
> extortion where I come from). This installs application
> or application extension fills that keep reinstalling
> themselves after you run popular spyware programs. The
> fix associated with this tells you to gor into the
> registry. However, In my computer, some of these folders
> don't exist. I am thinking that it is becasue I run ME
> and it is configured somewhat different. Has anyone had
> this problem and how did you fix it running ME?

Mike,

Thanks for the suggestion, but I've already run all that
you suggest and a few more to boot, including spysweeper
and hijack this. I've used killbox too. What this thing
does is put an app extention (.dll) file into your
Windows\System\ file that continually reinserts itself.
Manual registry clean ups are done, only to see it all
come back. I have seen fixes for XP users, but I don't
have the same registry paths on my ME. Tha tis why I came
here, to see if ME users could help with an exact fix.
This is particularly nasty, and unless the extensions (I
beleive there are two) are not cleaned out, it just keeps
coming back. Thanks for your suggestions, I appreciate
your offer of help.
>-----Original Message-----
>You've been hijacked, quite possibly by a variant of the
CoolWebSearch
>parasite. Probably by the CWS.Aboutblank variant
>
(http://www.spywareinfo.com/~merijn/cwschronicles.html#abou
tblank)
>
>Download and run CWShredder
>(http://www.zerosrealm.com/downloads/CWShredder.zip or
>http://www.spywareinfo.com/~merijn/files/cwshredder.zip)
which is the best way
>of getting rid of the many forms of the CoolWebSearch
hijacker details of
>which can be found at
http://www.spywareinfo.com/~merijn/cwschronicles.html
>and also http://www.pestpatrol.com/pestinfo/c/cws.asp..
>
>This would be a good time to download yourself a copy of
the free Ad-Aware 6.0
>from Lavasoft
(http://www.lavasoftusa.com/software/adaware/) and also
SpyBot
>Search & Destroy (http://www.safer-networking.org/) and
use them to check your
>system for other commercial parasites remembering that
they are only as good
>as when you last updated their reference files. I also
use a program called
>BHODemon (http://www.definitivesolutions.com/bhodemon.htm
that checks for
>unwanted Browser Help Objects and SpywareBlaster
>(http://www.wilderssecurity.net/spywareblaster.html)
which can help prevent
>many parasites getting a grip on your PC.
>--
>Mike Maltby MS-MVP

>
>
>MomboMan > wrote:
>
>> I have this trojan that continually turns my home page
to
>> about blank which points to a garbage search page. I
also
>> get pop-ups telling me my computer has spyware and I
need
>> to download softwre to fix it. (This is referred to as
>> extortion where I come from). This installs application
>> or application extension fills that keep reinstalling
>> themselves after you run popular spyware programs. The
>> fix associated with this tells you to gor into the
>> registry. However, In my computer, some of these
folders
>> don't exist. I am thinking that it is becasue I run ME
>> and it is configured somewhat different. Has anyone had
>> this problem and how did you fix it running ME?
>
>.
>

What registry paths don't you have? I think you'll find the same keys are
going to be used regardless of the OS so if yours are different then this
would suggest you might have a different strain of the parasite.

Incidentally it would probably have helped and saved me and perhaps others
from wasting their time if you had included all relevant details in your
original post such as the fix that doesn't work and the anti spyware tools you
have already tried (you said you had run popular spyware programs which could
have meant Gator, Kazaa, etc. for all I knew rather than programs to help
detect and remove spyware <g>).

Unfortunately there are a number of recent parasites that morph in the way you
are seeing including not only CWS but also another called Safeguard.
--
Mike Maltby MS-MVP



MomboMan > wrote:

> Mike,
>
> Thanks for the suggestion, but I've already run all that
> you suggest and a few more to boot, including spysweeper
> and hijack this. I've used killbox too. What this thing
> does is put an app extention (.dll) file into your
> Windows\System\ file that continually reinserts itself.
> Manual registry clean ups are done, only to see it all
> come back. I have seen fixes for XP users, but I don't
> have the same registry paths on my ME. Tha tis why I came
> here, to see if ME users could help with an exact fix.
> This is particularly nasty, and unless the extensions (I
> beleive there are two) are not cleaned out, it just keeps
> coming back. Thanks for your suggestions, I appreciate
> your offer of help.

HKLM\Software\Microsoft\Windows\CurrentVersion\Win dows\AppI
nt_DLLs. As I open my registry I am fine up to
CurrentVersion. After that, There is not a Windows
folder. THere are three others. I also run find in the
registry and cannot find AppInt. As I see the fix
published on other help sites, the victim's HighJack This
log usually indicate that they are running XP. THat's why
i'm here... I figured that the registry is slightly
different in ME and the trojan is somewhere else. THe
trick is where.
>-----Original Message-----
>What registry paths don't you have? I think you'll find
the same keys are
>going to be used regardless of the OS so if yours are
different then this
>would suggest you might have a different strain of the
parasite.
>
>Incidentally it would probably have helped and saved me
and perhaps others
>from wasting their time if you had included all relevant
details in your
>original post such as the fix that doesn't work and the
anti spyware tools you
>have already tried (you said you had run popular spyware
programs which could
>have meant Gator, Kazaa, etc. for all I knew rather than
programs to help
>detect and remove spyware <g>).
>
>Unfortunately there are a number of recent parasites that
morph in the way you
>are seeing including not only CWS but also another called
Safeguard.
>--
>Mike Maltby MS-MVP

>
>
>MomboMan > wrote:
>
>> Mike,
>>
>> Thanks for the suggestion, but I've already run all that
>> you suggest and a few more to boot, including spysweeper
>> and hijack this. I've used killbox too. What this thing
>> does is put an app extention (.dll) file into your
>> Windows\System\ file that continually reinserts itself.
>> Manual registry clean ups are done, only to see it all
>> come back. I have seen fixes for XP users, but I don't
>> have the same registry paths on my ME. Tha tis why I
came
>> here, to see if ME users could help with an exact fix.
>> This is particularly nasty, and unless the extensions (I
>> beleive there are two) are not cleaned out, it just
keeps
>> coming back. Thanks for your suggestions, I appreciate
>> your offer of help.
>
>.
>

Since you appear unwilling to provide the information requested such as a link
to the fix that doesn't work I feel I have now leave this thread to others to
respond.

Incidentally XP has no key
HKLM\Software\Microsoft\Windows\CurrentVersion\Win dows\AppInt_DLLs
nor does it have
HKLM\Software\Microsoft\Windows\CurrentVersion\Win dows
It does however have the key
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
which contains the value AppInit_DLLs and yes, you are correct, such a key is
not part of the Win Me registry.

Why not post your HijackThis logs to the HijackThis forum where you will get
the help you require? With so little information provided in this thread I
doubt that anyone here is going to be able to help you.

Regards,
--
Mike Maltby MS-MVP



MomboMan > wrote:

> HKLM\Software\Microsoft\Windows\CurrentVersion\Win dows\AppI
> nt_DLLs. As I open my registry I am fine up to
> CurrentVersion. After that, There is not a Windows
> folder. THere are three others. I also run find in the
> registry and cannot find AppInt. As I see the fix
> published on other help sites, the victim's HighJack This
> log usually indicate that they are running XP. THat's why
> i'm here... I figured that the registry is slightly
> different in ME and the trojan is somewhere else. THe
> trick is where.