How to Clean your PC from the "winshow" Hijacker !

[Larry_OHF]

Note: My final post lists the first step to take in cleaning this hijacker from your system. Also, go to the symantec link I provided here to get the needed information on how to wipe out the dirty files from the registry. PM me if you would like assistance with this.


I have a persistant Browser Hijacker that will not go away, even after I follow the instructions from Symantec and another website, as well as my own methods. Can anyone tell me how to clean this out?

This is what I have: http://securityresponse.symantec.com...e.winshow.html

and that link explains what to delete to clean you of this rat.

Here is another website that takes a different approach:
http://www.spywareguide.com/product_show.php?id=609

I have followed these instructions as well as used spybot, adaware and all that, but when I reboot, the items come back! What can I do now?

[ 10-29-2003, 04:01 PM: Message edited by: Larry_OHF ]

[harleyquinn]

Have you tried some type of registry cleaner?

[WillowIX]

Quote:

Originally posted by harleyquinn: Have you tried some type of registry cleaner?

Shouldn't make a difference since he has unregistered all components. You did remove the files right Larry? If you did it almost sounds like the thing keeps installing when you reboot. Try cleaning out your temporary files and your temporary internet files. Perhaps the little installer is hiding there.

Edit: Did you remember to remove the trojan as well?

[ 10-29-2003, 12:09 PM: Message edited by: WillowIX ]

[philip]

i don't know if this has anything to do with it but it helped me to delete some files that got back everytime i rebooted.

disable system restore in your configuration.

edit: i think you need to put restore of to delete the trojan WillowIX mentioned

[ 10-29-2003, 12:13 PM: Message edited by: philip ]

[Larry_OHF]

I will try what you have suggested now and return and report.

[Yorick]

That's bloody frightening Larry! Heck!

[Larry_OHF]

I disabled the restore option, I deleted all .tmp files, cookies, and all that, ran through the registry to delete all files that were either named winshow or started with 6cc1c918 as the tage name, ran searches on all this stuff, then went over to my wife's login and did the same. Upone rebooting I find that all the deleted files are back in place as though I did nothing.

I have not found the trojan then, and it must be named something other than all the names I have searched for. Any ideas? I cannot believe Symantec's walk-through did not help.

[Larry_OHF]

By the way, the crap seems to be a part of startup, because when I first boot up, my PC's protection program tells me that 6CC1C918...is trying to take over the browser. This happens at each startup.

[WillowIX]

Quote:

Originally posted by Larry_OHF: By the way, the crap seems to be a part of startup, because when I first boot up, my PC's protection program tells me that 6CC1C918...is trying to take over the browser. This happens at each startup.

Have you got cable Larry? If so try disconnecting your computer before rebooting. The trojan will connect to the net immediately. F-secure lists it as Ouch.A. Apparently it uses a vulnerabillity in Microsoft VM, there's a patch here. That should close up the hole the trojan is using. So when cleaning it out and rebooting it can't access the net. [img]smile.gif[/img]

[ 10-29-2003, 01:23 PM: Message edited by: WillowIX ]

[philip]

also you can find a lot of trojans with a normal virus scanner, they're not necesarrily in the temp folder or in the cookies