Need Assistance - Browser Hijacked.

[Hard Idle]

Two and a half years after being liberated from coolwebsearch, I may have caught some trouble. Woke up Sunday afternoon to find my Explorer had it's default page set to this:

www. download.it.extras.carima.gorgyill-bisfo.com/home-6.php

It seems fairly new - Googled it and got nothing, tried all terms separately and only came up with results for "carima" for previous spyware. Spybot is not recognizing it. It opens about 5 new Explorere windows, each asking you to download some software.

In 2004 I had a guy disable the the entire "home page" feature so that it was greyed out and permanently on "blank", ever since then I've never had any of these problems with redirects and hijacking until now. The field is still greyed out and the buttons are disabled but somehow it has replaced the "blank" default.

While deleting Temp files, I ran into it in a few files which seemed to resist deleting, but later they were gone, there is now nothing left except the index.

Unfortunately I know nothing about software, but it's also not a good time to bug my computer guy with this week. Is there anything I can try on my own, where to look and what to delete? Are there any free downloads that might locate it?

If it is hidding in the index, where can I find the best idiot-proof tutorial for going into DOS and getting rid of all the internet files for good without messing up anything else?

http://www.download.it.extras.carima.gorgyill-bisfo.com/home-6.php

 

[Keebler Elf]

If you haven't reinstalled Windows since 2004, that should be one of your first priorities! There's probably all sorts of junk in your registries.

 

[juanbrujo]

There are several things that you can do.

First, you can download Ad-aware since you already have Spybot, to remove most hijackers completely, unless it is one which has just started spreading. This product has a free version.

Ad-aware:

http://www.lavasoft.de/

Second, if you are using IE7 you can reset the browser:

1. Click the Tools menu, and then click Internet Options.

2. On the Advanced tab, click Reset.

3. In the Reset Internet Explorer Settings dialog box, click Reset.

4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.

5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Third, you can remove the entries that reference the Web site from the registry:

1. Click Start, and then click Run.

2. In the Open box, type regedit, and then click OK.

3. Locate the following registry entries (if they exist):

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

4. Right-click each entry that you have located in step 3, and then click Delete. Click Yes to confirm the deletion.

This action resets the Internet Explorer home page and Search page in Internet Explorer.

5. On the File menu or the Registry menu, click Exit to quit Registry Editor.

6. Configure Internet Explorer to use the home page that you want. To do this, follow these steps:

a. Start Internet Explorer, and then connect to the Web site that you want to use as your home page.

b. On the Tools menu, click Internet Options. Click the General tab, and then click Use Current.

7. Empty the contents of the Temporary Internet Files folder. To do this, click Delete Files under Temporary Internet files, and then click OK.

Fourth, check the Hosts file.

1. Click Start Start button , click All Programs, click Accessories, select Notepad.

2. Open the Hosts file or the Lmhosts file at C:\Windows\System32\drivers\etc\. Look for anything in this files that reference the web site. Make the necessary changes, and then click Save on the Edit menu.

 

[Hard Idle]

good post juanbrujo, thx.

FSG

I'll second that. This is one of the most concise and novice-friendly sets of directions I've ever come across. Thanks.

I hope to have time to try some of these on Tuesday night. The Explorer is still usable when I open a shortuct I've made available offline and then go to google from the favourites, it seems to function without any popups or redirects, although it's a bit slower. I still need to use it tomorrow as I'm in the process of trying to switch jobs this week.

BTW it's Windows 98 or 2000 - I'll double check - and I think the Explorer is a couple of versions old. I don't know if that makes a difference with anything.

- Can I use Ad-Aware alongside AVG free edition and Spybot? I used to have Ad-Aware but was told I didn't need it when I got Spybot - and Ad-Aware wasn't dealing with the coolwebsearch reurrences so I lost confidence in it at the time, although I do remember that with Ad-Aware I was notified of Trojan & Dialer threats more often.

- I overheard that AVG no longer works on older Windows versions. Does this apply to the free edition as well? I KNOW it was working last year, and the new version was installed in late January - continues to test and update daily, but I don't know if it's actually doing anything since the update...

- what do I do about the index.dat?

 

[Hard Idle]

I've heard that "carima" is known for dialers. Do I need to report this to Sympatico in case it tries to use my connection to run up a bill? How much trouble could it have caused if the infestation started Sunday morning at 3:50AM.

 

[thewheelman]

Get an app called HijackThis. Run it and post the log file. It will find all those little nasties running on your PC and tell you where they reside.

Dialer cannot run up a bill on Sympatico DSL, but it you have a dial-up modem card in your PC (like a FAX modem) and it is connected, then your PC could be dialing up Russian phone sex lines all nite long. No wonder it is so slow in the morn

 

[Clear History]

Also consider running Firefox. Less of a target than IE and it's free.

http://www.mozilla.com/en-US/firefox/