I got a stupid thing that keeps changing my homepage and ie settings

W

wedoe21

Limp Gawd
Joined
Apr 29, 2002
Messages
488
ik i turned on my comp today and started IE and i got take to this page res://btrsi.dll/index.html#96676 and the adress bar and links bar ect were all changed around. so i change everything back and reenter the h forums as my homepage. but everytime i close ie then re open it everything is still messed up. its back to this res://btrsi.dll/index.html#96676 as my home page ect. i tried ad aware and spybot but they didnt find anything. anyone know how to remove this crappy spyware?
 
oh plus i got a ton of popups now ( i got 3 when i was posting this message and i only had this window open) so it is messing with me.
 
Its that damn btrsi.dll i delete it and it keeps coming back is there any way to find where this keeps getting installed form?
 
Also run ad-aware, make sure you update it and have it scan your host file. That should clean you right up.
 
Sounds like you got CoolwebSearch..

Adaware will not remove it. Google CWS Shredder or CoolWebsearch
 
hijak this removes but then it comes back. its like there is a program that keeps reinstalling the dll
 
That's some pretty serious spyware dude. If Spybot, Adware, Hijack This, or anything else won't fix it. You can:

1. Go into the registry and try to remove it and stop it from coming back

2. Kick Your Self

-OR-

3. Consider yourself screeeeeewd. (Reformat needed :( )
 
i wouldent think its that bad, i just gotta find where its reinstalling from. was wondering if anyone knew form the symptoms i described
 
It sounds like CWS (Cool Web Search), so are you sure you got the latest version of CWShredder?

Otherwise, sorry I got no ideas :(. You updated ad-aware and spybot before running them?
 
Same issue here. I have tried all those with updated reference files, no luck.
 
You have coolwebsearch :eek: . That sucks. I was working on a computer that had it. Nothing removed it, spybot s&d, adaware. I even tried a removal tool made by symantec for it. The removal tool fucked the registry and I had to reformat.
Just reformat now and stop wasting your time.

Good luck.
 
im home from school for a month and a half, i didnt bring my windows disks home. so i SOL in the reformat department. although i could send an email to that guy that makes the cws shreddar prog. There was some blurb that said if this verson doesent remove it wait a couple weeks and he might have a new version out. so if you got the same problem send an email to the guy at http://www.spywareinfo.com/~merijn/cwschronicles.html . on the site it says it was updated april 17 and that the assholes that make this crap update it abuout every week or so.
 
oh and this is really annoying. this happened after the first restart of my computer. every time i open a new IE window office xp tries to install somthing but it keeps asking for the Disk so it cant finish the inststall, then it starts over again when i open a new window.
 
http://www.hardforum.com/showthread.php?p=1026178527#post1026178527

This is really a pain in the ass hijak program if you have any ideas that could help i would really appreciate it.

The symptoms of this are:

Before first restart of infected computer:

The tool bar is defaultd to its origional layout, if i change it, it just goes back.

When i open a google search it pops up another search page with the text i already searched for entered into said search window. (the search page is in the thread above)

My homepage is set to this site called res://btrsi.dll/index.html#96676 is this a web address or is it a folder on my computer?

Iused hijak this and it comes up with a list of btrsi.dll files that it can erase but they just come back upon restart fo the browser.

After first restart:

The only thing new that i see sofar is every time i open a new ie window the windows installer pops up and office xp with frontpage (which i already have installed) tries to install somthing it says it cant find the proplus.msi file, and it gives me the browse box to find it.

Thanks for any help you can offer.
 
Temporarily turn off system restore, boot into safe mode. Run CWShredder and any other spyware detection you have. Look for suspicious entries in the msconfig startup and remove. Good luck.
There's a new spyware prog I've run across which Spybot and Adaware can't detect yet. I forget the name, it was "AB something".....I think. It will create a directory in the common files folder. If you have that, delete that directory, or at least rename it of you're not sure if it is the culprit.
 
First, start your machine in safe mode.

Then, go to regedit and check your HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/CurrentVersion/run and runonce for any shady looking keys. Delete them.

Run AwAware and Spybot and CWS Shredder.

Also, check your Add/Remove Programs while in safe mode, and uninstall any instance of a program you didn't mean to install.

Try killing the btrsi.dll in safe mode as well.

Then log back onto Windows in regular mode and see how things work.

Oh, and you can stick the web domains of the popups into your hosts file as well.
 
Here is what i do.. reboot into safe mode. Open the system 32 folder. Get rid of any executables that are fairly recent by date. After doing this i clear the registry for the run programs at startup. I delete all browser objects. I delete the contents of the temp folder under the profile and i look though the local settings folder to make sure that there is no junk in here from this program. That should be a good start.
 
Also check to see if there is a:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/CurrentVersion/run-
HKEY_LOCAL_USER/SOFTWARE/Microsoft/CurrentVersion/run-
keys present... the " - " will sometimes execute as well...make sure to remove it

My fiance was on my machine for 10 min...I got nailed and not in the good way. CWShredder finally cleared my most evil one "myexexex.com"
http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=196559
 
wedoe21 said:
http://www.hardforum.com/showthread.php?p=1026178527#post1026178527

This is really a pain in the ass hijak program if you have any ideas that could help i would really appreciate it.

The symptoms of this are:

Before first restart of infected computer:

The tool bar is defaultd to its origional layout, if i change it, it just goes back.

When i open a google search it pops up another search page with the text i already searched for entered into said search window. (the search page is in the thread above)

My homepage is set to this site called res://btrsi.dll/index.html#96676 is this a web address or is it a folder on my computer?

Iused hijak this and it comes up with a list of btrsi.dll files that it can erase but they just come back upon restart fo the browser.

After first restart:

The only thing new that i see sofar is every time i open a new ie window the windows installer pops up and office xp with frontpage (which i already have installed) tries to install somthing it says it cant find the proplus.msi file, and it gives me the browse box to find it.

Thanks for any help you can offer.
Click to expand...

This is word for word the same problem I am encountering. I have run all the programs I can find to stop it. Post anuthing you find out!
 
DING DING DIGNG!!!!!!!!! If you have this problem just download mozilla firefox and you wont have to worry about it messing with you
 
Or SlimBrowser

http://www.flashpeak.com/sbrowser/

I'm real careful about the integrity of my OS and yet I found that IE has been compromised by ShopNav. I get so many pop-ups with IE that I don't even use it anymore. Like everyone else with their problems, I haven't found a remedy yet.
 
i dont know if ie got infected just because i was using it at the time of infection or because it sucks. Id be curious to know if it is an ie thing or a browser you are using at the time thing.
 
So you still have the "infection", but your just going to change browsers to remedy the situation?
 
I don't really have any suggestions. I've tried every ad/spy removal software I can find and none of them recognized it. Seriously, everyone I could find on the net (10+). I deleted about 25 registry entries that had "res" in them, but upon restart the registry entries were recreated by the tainted program. I just don't want to leave it there and ignore it. I'm using firefox now so I don't encounter the problem, but I would like to purge my system of this annoying program. I figure I'll use firefox for now and wait to see if one of the people that create spy ware removal software figures it out and releases an updated reference file.
 
Yes for the moment im blissfully ignoring the problem while my girlfriend mails me my windows ect cd's. Changing browsers isnt a solution just a sidle by the problem. If you use hack this to delete the files upon startup then it has been my expierence that they wont reinstall untill you restart. Before that would reinstall everytime i opened a new ie window. So changing to an uninfected browser is loads better for the moment.
 
Ignoring the problem by changing browsers is disrepectful to anyone on the internet. The program could be one that creates a zombie spam or virus proliferator, The machine could be sending hundreds or thousands of junk mail or viruses without the users knowledge.
 
Mister Natural said:
Ignoring the problem by changing browsers is disrepectful to anyone on the internet. The program could be one that creates a zombie spam or virus proliferator, The machine could be sending hundreds or thousands of junk mail or viruses without the users knowledge.
Click to expand...

This statement is a litle eccentric. This program is not harming anyone but the user that contracted it.
 
Minomine said:
This is a handy little program. I use this, spyware, and ad aware, along with AVG Free Edition, and I have no troubles what so ever.

Bazooka Spyware Scanner


AVG Free Edition (You will still have to register with them.)
Click to expand...

That Bazooka is great. I have been having annoying popups similar to the others in the thread and tried everything. I tried the Bazooka and finally killed all the popups.

Thanks!
 
I would be well aware if this program was higacking my connection to spam. I monitor my network usage constantly and closely and there have been no spikes in usage. And as for disrespectful I think the tone of your post was disrespectful, Mister Natural. If you dont have anything constructive to say please stay out of my threads.
 
Download firefox. I had a similar problem. But it wasn't cws. So I found the site that made it and asked them. They said I installed it. So I told him to go fuck himself and installed firefox. Been running great.
 
My advice would be to boot into safe mode. Run "hijack this", Delete any registry entries. Then Save the log, and then view the log to view running processes. If nothing is running except what should be, then start into normal mode. Change the IE homepage. Check to make sure its gone. If its not, again run hijack this and save the log. Check the log for suspicious programs. Reboot into safe mod and delete or rename any .DLL's or .EXE files that shouldnt be loading on your system. Search google for normal XP running procesess.

It sounds like a simple DLL is loading.
 
Wixard said:
My advice would be to boot into safe mode. Run "hijack this", Delete any registry entries. Then Save the log, and then view the log to view running processes. If nothing is running except what should be, then start into normal mode. Change the IE homepage. Check to make sure its gone. If its not, again run hijack this and save the log. Check the log for suspicious programs. Reboot into safe mod and delete or rename any .DLL's or .EXE files that shouldnt be loading on your system. Search google for normal XP running procesess.

It sounds like a simple DLL is loading.
Click to expand...


I believe everyone has tried this and it still did not work.
 
McAffee Virus Scan 7.1 also finds crap for me.

Take a close look at the Local Settings in your profile.

...just some more things that I don't think have been stated and are coming off the top of my head

Edit: I just did a google search for "index.html#96676 and got a whole lot of hits.
http://computercops.biz/postt50930.html
That is how you remove the problem from the oringinal poster's problem. now the .dll may be different...but it looks like the same thing. Try the google search....
 
You must log in or register to reply here.
Back
Top