Home > General > Tooncomics.com/main/hp.php

Tooncomics.com/main/hp.php

Cleverness: 3/10 Manual removal difficulty: Involves some Registry editing Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.slawsearch.com/autosearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.slawsearch.com/autosearch.html R0 - HKCU\Software\Microsoft\Internet This site is completely free -- paid for by advertisers and donations. It hijacks to http:/// (sic) and uses the same autostarting methods as the first version. Symptoms: Homepage changed to xwebsearch.biz and 'http:///', hijack returning on reboot or even sooner.

It also changes the DefaultPrefix, WWW Prefix and a non-functional 'www.' prefix which makes each URL you type without 'http://' in front of it redirect through ehttp.cc before reaching the correct The BHO looks like this in a HijackThis log: O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F- 9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll Deleting this BHO prevents it from restoring the autostarting regkeys, which CWS.Dnsrelay.2: A mutation of this variant exists which uses the filename ASTCTL32.OCX instead. Though a file determining its actions depending on the filename is very bad programming, it surprised me somewhat because it works so well.CWS.Tapicfg.2: A mutation of this variant exists that uses

This one just surfaced when a sample (and thus a CWShredder update) was found for it. Approx date first sighted: November 1, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=16643 Symptoms: IE pages changed to http://www.idgsearch.com/, hijack reinstalled on reboot and when running Windows Media Player. It combined several hijacking methods, along with random redirections to porn pages, portals and even adult dialers.

The hijack covered most of IE, and a user was left to sit helplessly It autoruns a file named olehelp.exe at startup from the Registry, which changes the IE homepage/search page to omega-search.com, and adds a mind-boggling 107 bookmarks to the IE Favorites, of which

Type in the name of the browser homepage. He only has to edit his Hosts File. · actions · 2003-Nov-3 9:51 am · pieter arntzjoin:2002-02-26Netherlands

pieter arntz to Paul928 Member 2003-Nov-3 10:08 am to Paul928Not quite. Version 0.80.October, 2013 Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : It works invisible, changing links from Google search results to other pages.

Music & Audio Video & Photo Hardware Tablets, smartphones and e-readers Computer components and accessories Other Hardware All Other Technical Help Topics CWS.Mupdate Variant 15: Mupdate - Turning up everywhere Approx date first sighted: October 13, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=13613 Symptoms: Homepage changing to searchv.com, redirections to runsearch when mistyping URLs, *.masspass.com in If you're not already familiar with forums, watch our Welcome Guide to get started. http://boards.straightdope.com/sdmb/archive/index.php/t-225989.html CWS.Smartfinder.2: a second version of this variant exists, that is harder to remove but basically uses the same method of loading, as well as the same CLSID.

The hijack involves AddClass.exe installing the hijack and reinstalling it on reboot. However, this file was called on almost every action taken in IE, slowing it down - this was the most obvious when typing text. CWS.Svchost32 Variant 7: CWS.Svchost32 - Evading detection Approx date first sighted: August 3, 2003 Log reference: http://boards.cexx.org/viewtopic.php?t=1027 Symptoms: Redirections to slawsearch.com when accessing Google, searching on Yahoo or mistyping an URL This file reinstalled the hijack when ran.

Word is Apple coming out with curved glass OLED iPhone [Apple] by whatsupdoc327. http://tweaks.com/forum/topic/2433/several-problems-possible-solutiampamp111n/8/ When the computer was started, there was a 1 in 5 chance the hijack was re-installed and changed the IE start page and search pages to allhyperlinks.com.However, once the hijack was Cleverness: 8/10 Manual removal difficulty: Involves quite some Registry editing, win.ini editing and hosts file editing. It appears to have worked there.

Thanx you guys are awesome![/QUOTE] The CWS hijack has been fixed and things, especially IE, should be much more responsive. Removing msconfd.dll involves renaming the file, restarting the system and deleting the renamed file. Click 'Next' again. Variant 3: CWS.OSLogo.bmp - Send in the affiliates Approx date first sighted: July 10, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=8210 Symptoms: Massive IE slowdowns Cleverness: 2/10 Manual removal difficulty: Involves some Registry editing

  1. However, this BHO file also contains the first file and probably puts it back when it is deleted.
  2. C:\Program Files\Kazaa\kazaa.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://tooncomics.com/main/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://tooncomics.com/main/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/main/sp.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tooncomics.com/main/hp.htm R1 -
  3. CWS.Xplugin Variant 18: CWS.Xplugin - 'Helping' you search the web Approx date first sighted: November 11, 2003 Log reference: Not visible in HijackThis log!
  4. Tusculan11-29-2003, 03:24 PMSee als this link (http://www.computing.net/windowsme/wwwboard/forum/39884.html), with the same suggestion, and a link to CWShredder.
  5. Affiliate variant: Madfinder - Kinda like ClientMan Approx date first sighted: October 15, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=14977 Symptoms: IE homepage changed to madfinder.com, BHO with filename 'BrowserHelper.dll', hijack returning on reboot,
  6. The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code.

However, even though the evil programmers of CWS have released over two dozen versions of their hijacker on the advertising market in such a short time, it should be mentioned that Variant 14: Dreplace - Just a BHO... kip7011-29-2003, 03:08 PMThat didn't help either. Winproc32.exe loads at startup, and hijacks IE.

It's ran from 3 places at boot, as well as merging a .reg file that reinstalls the hijack, and adding an adult site to the Trusted Zone. Contacts About Web User Contact Us Advertising Info Top 10 Website - HitWise 2008 Follow Web User on Twitter Join the Web User Facebook group Watch the Web User Youtube channel This is an article which details the variants of the browser hijacker known as CoolWebSearch (CWS).

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

The first one seemed to malfunction often, as seen in the 'first sighted' link where the file wasn't actually installed, but the reference to it was. Nikolai Bezroukov. Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchv.com/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchv.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchv.com/search.html F0 - system.ini: Shell=explorer.exe mupdate.exe F1 - win.ini: run=mupdate.exe F2 - In normal english, this means it reads most of the web pages downloaded to your browser.

After that, the fake stylesheet file could be deleted. I have tried editing my registry by removing any references to this web site, but once I reboot, it sets itself up as my homepage again. bricat View Public Profile Send a private message to bricat Find all posts by bricat #9 13-11-03, 20:17 putasolutions Top contributor Join Date: May 2003 Location: Infinity and No other variants modify or delete system files, but this one seems to.

Identifying lines in HijackThis log: O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL Second variant CWS.Aff.Winshow.2: O1 - Hosts file: 209.66.114.130 sitefinder.verisign.com O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot fix everything it labels in red.Download Ad-Aware at http://lavasoft.element5.com/software/adaware/After installing AAW, and before running the program, update by Check out the forums and get free advice from the experts. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin. Subscribe Forums Web User Forums > Software > Web Browser Software Unwanted

Do NOT have Hijack This fix anything yet. CWS.Oslogo Variant 3: CWS.OSLogo.bmp - Send in the affiliates Approx date first sighted: July 10, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=8210 Symptoms: Massive IE slowdowns Cleverness: 2/10 Manual removal difficulty: Involves some Registry No, create an account now. Terminating the running process, and deleting the three autorun values fixed it.

Cleverness: 6/10 Manual removal difficulty: Involves lots of Registry editing and some .ini file editing Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?101 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Let's start with a couple of free programs:CWShredder is the first to run. The file stays in memory so a process killer is needed to remove it. That's it.

I Googled this link, but the suggestion to use CWShredder seems a good one, since the symptom you described is similar to the CoolWebSearch problem. This will only partially remove CWS.Addclass though. The style sheet files are marked read-only, system and hidden. uniqs1051 Share « U.K.

Variant 7: CWS.Svchost32 - Evading detection Approx date first sighted: August 3, 2003 Log reference: http://boards.cexx.org/viewtopic.php?t=1027 Symptoms: Redirections to slawsearch.com when accessing Google, searching on Yahoo or mistyping an URL Cleverness: It is still unknown what the BHO actually does. Apart from the new filename 'CTFMON32.EXE' (note that 'CTFMON.EXE' is the real Windows system file) it worked pretty much the same way as CWS.Bootconf: the file loads at startup, resetting homepages It redirects the Verisign Sitefinder, so all mistyped domains are redirected to 213.159.117.233.

Upon starting the computer, I'm prompted that msinfo.exe cannot be found, that msinfo.exe specified in WIN.IXI cannot be run and that the C:\WINDOWS\EXE file appears to be corrupt. Newer Than: Search this thread only Search this forum only Display results as threads Useful Searches Recent Posts More...