Security Incidents mailing list archives
RE: IE default Page
From: "wnorth" <wnorth () verizon net>
Date: Fri, 16 Jul 2004 12:28:49 -0700
Thanks first off for all the great suggestions. I ended up finding a solution that worked. The file is obviously hidden in the system32 directory. By using FindnFix http://freeatlast100.100free.com/ I was able to find the file, as it was marked with special permissions. I then used registrar lite and navigated to the following key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs which happens to have Reg_SZ value called AppInit_DLLs, basically the value of that Reg_SZ was the same file found by FindnFix, which couldn't access the file due to permission problems. I renamed the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windowsbak, deleted the Reg_SZ value, not the Reg_SZ itself, then renamed HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windowsbak to it's original name. I then rebooted the system, found the file under c:\windows\system32 and deleted it. I know it fixed the problem because the default search page that is used when a domain isn't found returned to normal, as did the standard page cannot be displayed page which pops up when you enter an invalid URL string. Needless to say this was a major pain in the you know what. However, it has taught me to really tighten up the IE security features...man I've never been hit this hard...or at least something this hard to remove. -Wes -----Original Message----- From: wnorth [mailto:wnorth () verizon net] Sent: Thursday, July 15, 2004 5:46 PM To: incidents () securityfocus com Subject: IE default Page Interesting bug going around, coolwebsearch, has anyone been successful in removing this virus from a system? It looks like it recreates the DLL under c:\windows\system32 and renames it after a few reboots. It's pretty annoying and I haven't been able to fully contain it. Thoughts? Suggestions? I've used highjackthis, cwshredder and a few spyware detectors, but nothing is really fixing the problem. Thanks, -Wes
Current thread:
- IE default Page wnorth (Jul 16)
- Re: IE default Page Jeff Garrett (Jul 16)
- Re: IE default Page Steven Bairstow (Jul 16)
- Re: IE default Page Justin . Ross (Jul 16)
- RE: IE default Page wnorth (Jul 16)
- <Possible follow-ups>
- RE: IE default Page Hagen, Eric (Jul 16)
- RE: IE default Page Ed Wittmann (Jul 16)
- RE: IE default Page Micro Kluge (Jul 16)