Home > General > Tooncomics.com/main/hp.php

Tooncomics.com/main/hp.php

The BHO looks like this in a HijackThis log: O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F- 9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll Deleting this BHO prevents it from restoring the autostarting regkeys, which CWS.Smartfinder Variant 29: CWS.Smartfinder - Turning over new stones Approx date first sighted: January 11, 2004 Log reference: http://forums.spywareinfo.com/index.php?showtopic=27673 Symptoms: IE hijacked to nkvd.us and smart-finder.biz, redirections to nkvd.us and smart-finder.biz Symptoms: Homepage changed to xwebsearch.biz and 'http:///', hijack returning on reboot or even sooner. Cleverness: 6/10 Manual removal difficulty: Involves lots of Registry editing and some .ini file editing Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?101 (obfuscated) R1 - HKCU\Software\Microsoft\Internet

Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains. Type in the name of the browser homepage. Cleverness: 7/10 Manual removal difficulty: Involves some Registry editing, and using a command prompt to delete the files. Possibly it also drops the file SVCHOST.OLD for unknown purposes. https://forums.techguy.org/threads/tooncomics-com-main-hp-php.183469/

Exam. http://www.spywareinfo.com/~merijn/files/cwshredder.zipIf you haven't already, please get Spybot S&D to clear out most of the spyware. Approx date first sighted: December 7, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=23210 Symptoms: IE pages changed to windoww.cc, super-spider.com and search2004.net Cleverness: 3/10 Manual removal difficulty: Involves some Registry editing, and restoring a Though a file determining its actions depending on the filename is very bad programming, it surprised me somewhat because it works so well.CWS.Tapicfg.2: A mutation of this variant exists that uses

Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains. depending on your version of windows, look for instructions on how to run your op.in safe mode. Winproc32.exe loads at startup, and hijacks IE. There only were several threads of users experiencing enormous slowdowns in IE when typin messages into text boxes.

The hijack is the same as the first version for almost all other aspects, and both HijackThis and CWShredder have been updated to circumvent the problem. Apparently, this program is programmed so badly, it won't even carry out its payload and does not hijack IE. Variant 17: CWS.Googlems - We have a payload! http://boards.straightdope.com/sdmb/archive/index.php/t-225989.html The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few.

The second version probably fixed this a few days later, since people started surfacing that had been hijacked by this thing. If CWShredder repeatedly reports removing this variant, it cannot remove winlogon.exe. This variant is the first one that is not visible in a HijackThis log. Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.

  1. Known filenames used by this variant: C:\Program Files\directx\directx.exe C:\Program Files\Common Files\System\systeem.exe C:\Windows\explore.exe (note the missing 'r') C:\Windows\System\internet.exe C:\Windows\Media\wmplayer.exe C:\Windows\Help\helpcvs.exe C:\Program Files\Accessories\accesss.exe C:\Games\systemcritical.exe C:\Documents Settings\sistem.exe C:\Program Files\Common Files\Windows Media Player\wmplayer.exe C:\Windows\Start Menu\Programs\Accessories\Game.exe
  2. CWS.Smartsearch.4: A mutation of this variant exists that hijacks to magicsearch.ws instead of smartsearch.ws, uses the startup 'MicrosoftWindows' and also drops the notepad32.exe Notepad hijacker like CWS.Smartsearch.3.
  3. I was "experimenting" as a new computer user and now I can't get rid of tooncomics.com.

Delays of over a minute before the typed text appeared were reported. http://tweaks.com/forum/topic/2433/several-problems-possible-solutiampamp111n/8/ The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. Please help! i'll start with these first.

How did it get onto my system? Rightclick in that pane and choose "select all" and click 'next'. CWS.Alfasearch Variant 19: CWS.Alfasearch - Child's Play Approx date first sighted: November 5, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=16730 Symptoms: IE pages changed to alfa-search.com, possibly porn sites being redirected to 216.200.3.32 (alfa-search.com), It is suspected malware as it appears in 3 different registry locations , but to be sure of this, we will need to see the HijackThis Log please. Cheers

Terms of Service - Privacy Policy - Contact The CoolWebSearch Chronicles The story of a thousand hijacks Dear reader. Google , or www.refdesk.com anyway: I had the same, simular prob. Largest intelligence dump in history - what it reveals about security. [Security] by Slyguy67444. We also started to see some pages which seemed affiliates of CWS since almost all their links led to www.coolwebsearch.com.

CWS.Addclass Variant 16: CWS.Addclass - Halloween edition Approx date first sighted: October 30, 2003 Log reference: http://forums.techguy.org/showthread.php?threadid=175680 Symptoms: Redirections through ehttp.cc before reaching pages, IE homepage/searchpage changing to rightfinder.net, hijack returning Symptoms: Some links in Google results redirecting to umaxsearch.com or coolwebsearch.com every now and then Cleverness: 10/10 Manual removal difficulty: Involves some Registry editing Identifying lines in HijackThis log: Not visible After all updates are downloaded, click the Check for problems button.

How do I prevent it from happening again?

It works invisible, changing links from Google search results to other pages. It also adds a custom stylesheet (like CWS.Bootconf) located at C:\Program Files\Internet Explorer\Readme.txt. (This file is not present on uninfected systems.) It uses a Registry value named nvstart to re-register the The second version probably fixed this a few days later, since people started surfacing that had been hijacked by this thing. CWS.Svchost32 Variant 7: CWS.Svchost32 - Evading detection Approx date first sighted: August 3, 2003 Log reference: http://boards.cexx.org/viewtopic.php?t=1027 Symptoms: Redirections to slawsearch.com when accessing Google, searching on Yahoo or mistyping an URL

GREAT! CWS.Oemsyspnp.2: A mutation of this variant exists that uses the filename keymgr3.inf, and the Registry value keymgrldr instead. I had my browser hijacked, where I couldn't change my homepage. you are asking about.

Cleverness: 3/10 Manual removal difficulty: Involves some Registry editing Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.slawsearch.com/autosearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.slawsearch.com/autosearch.html R0 - HKCU\Software\Microsoft\Internet Are my suspicions correct that this is some type of spyware program? Advertisement homerjq Thread Starter Joined: Nov 29, 2003 Messages: 9 Please somebody help me. It's called CWShredder and can be downloaded here, in several forms: ENDQUOTE Here I have to point you to a few different points where this story lead.

Open that file Go to Edit | Select all Now click Edit | copy to copy it Come back to Webuser, right click and paste its contents here.


Please... Only when this code was decyphered it became clear that CoolWebSearch was behind this all. The MSupdate.exe file is capable of installing a hosts file hijack as well, but doesn't seem to do this. All this is in instructions on how to turn Safe Mode on, & to reboot with Safe Mode back off.