Security Incidents mailing list archives

RE: IE default Page

From: "wnorth" <wnorth () verizon net>
Date: Fri, 16 Jul 2004 12:28:49 -0700

Thanks first off for all the great suggestions. I ended up finding a
solution that worked. The file is obviously hidden in the system32
directory. By using FindnFix http://freeatlast100.100free.com/ I was able to
find the file, as it was marked with special permissions. I then used
registrar lite and navigated to the following key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\\AppInit_DLLs which happens to have Reg_SZ value
called AppInit_DLLs, basically the value of that Reg_SZ was the same file
found by FindnFix, which couldn't access the file due to permission
problems. I renamed the  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windowsbak, deleted the Reg_SZ value, not the Reg_SZ
itself, then renamed HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windowsbak to it's original name. I then rebooted the
system, found the file under c:\windows\system32 and deleted it.

I know it fixed the problem because the default search page that is used
when a domain isn't found returned to normal, as did the standard page
cannot be displayed page which pops up when you enter an invalid URL string.

Needless to say this was a major pain in the you know what. However, it has
taught me to really tighten up the IE security features...man I've never
been hit this hard...or at least something this hard to remove.

-Wes

-----Original Message-----
From: wnorth [mailto:wnorth () verizon net] 
Sent: Thursday, July 15, 2004 5:46 PM
To: incidents () securityfocus com
Subject: IE default Page

Interesting bug going around, coolwebsearch, has anyone been successful in
removing this virus from a system? It looks like it recreates the DLL under
c:\windows\system32 and renames it after a few reboots. It's pretty annoying
and I haven't been able to fully contain it. 

Thoughts? Suggestions? I've used highjackthis, cwshredder and a few spyware
detectors, but nothing is really fixing the problem.

Thanks,

-Wes

Current thread:

IE default Page wnorth (Jul 16)
- Re: IE default Page Jeff Garrett (Jul 16)
- Re: IE default Page Steven Bairstow (Jul 16)
  - Re: IE default Page Justin . Ross (Jul 16)
- RE: IE default Page wnorth (Jul 16)
- <Possible follow-ups>
- RE: IE default Page Hagen, Eric (Jul 16)
- RE: IE default Page Ed Wittmann (Jul 16)
- RE: IE default Page Micro Kluge (Jul 16)