HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It’s up to you to decide what should be removed. Some items are perfectly fine. You should not remove them. Never remove everything. Doing that could leave you with missing items needed to run legitimate programs and add-ins. This Page will help you work with the Experts to clean up your system. For those of you needing instructions on how to Copy and Paste the contents of a text file into a Forum Post, please look at the Table of Contents. A link to the instructions is included.
When a DLL is identified as the culprit of a system crash, the less troubleshooting-familiar users may have problems determining just what application or driver may be at fault. Google is a great way to find out all sorts of information about errors, but Microsoft has a great resource to help in this situation as well. The online DLL Help Database not only lets you see which Microsoft apps are tied to a particular DLL, but also which versions are associated with particular applications for those times when a DLL version conflict may be a factor. http://support.microsoft.com/default.aspx?scid=/servicedesks/fileversion/dllinfo.asp
Developed when the Internet was used almost exclusively by academics, the Simple Mail Transfer Protocol, or SMTP, assumes that you are who you say you are.
SMTP makes that assumption because it doesn’t suspect that you’re sending a Trojan horse virus, that you’re making fraudulent pleas for money from the relations of deposed African dictators, or that you’re hijacking somebody else’s computer to send tens of millions of ads for herbal Viagra.
In other words, SMTP trusts too much–and that has spam foes, security mavens and even an original architect of today’s e-mail system agitating for an overhaul, if not an outright replacement, of the omnipresent protocol.
“I would suggest they just write a new protocol from the beginning,” Suzanne Sluizer, a co-author of SMTP’s immediate predecessor and a visiting lecturer at the University of New Mexico, said in an interview.
While X-Setup is the king of tweakers, that’s sometimes a little overkill when you just want to tidy up a few of your most cherished XP settings. A new interface is the most obvious change with the new TweakUI tool, giving you more of an Explorer sort of feel. The left pane shows expandable categories, with the right side displaying the contents of the selected item. Much more functionality has been added as well, making it a very worthwhile upgrade. Windows XP SP1 or Windows Server 2003 are required, so do bear that in mind.
The start and search settings are changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also makes it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.
An executable file named bootconf.exe is copied to the windowssystem32 folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.
Finally, the malware lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system. We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.
As of July 8, both Spybot S&D and Ad-aware should repair this hijack. Please use one or the other before doing anything else in an attempt to fix this hijack. If neither program fixes the problems, here are the manual removal instructions:
Download Merijn’s HijackThis program, extract it to a folder of your choice, and run a scan with it.
Look for entries containing numbers and % symbols as in this example, and tick the box next to them:
R1 – HKCUSoftwareMicrosoftInternet Explorer,SearchURL= http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73
Look for any O1 Hosts entries similar to this example, and tick the boxes next to them:
O1 – Hosts: 1123694712 auto.search.msn.com
Look for these entries and tick the boxes next to them (the stylesheet entry may have a different file name):
O4 – HKLM..Run: [sysPnP] C:WINNTSystem32ootconf.exe
O19 – User stylesheet: C:WINNTsystem.css
Click the “Fixed Checked” button to remove these entries, then restart your computer. After Windows has loaded again, delete these files (the stylesheet entry may have a different file name):
Finally, go to Internet Options > Security, and select “Trusted Sites”. Press the “Sites” button. Delete any entries that you know you have not placed in there yourself, such as *.coolwebsearch.com, *.coolwwwsearch.com, and so on.
This article is located at http://www.spywareinfo.com/articles/cws/