I'm cross-posting this from Malware Removal. I've got a bit of interesting info about the nasty <5 random>.DLL / Home Search Assistent hijack.
My friend got nailed pretty bad, so I went over there to troubleshoot. I took the intstructions from the pinned message about it, and I begun my cleaning. I also installed a copy of FireFox to help them stay away from MSIE.
Anyway, I cleared stuff once in safe mode, popped back to normal, ran MSIE, checked and saw that it had partially returned. I cleared stuff out and it *appeared* to be gone.
So then I did a google search in Firefox to help debug a little problem they were having with their install of MS Picture It (totally unrelated to the hijack). While searching, I found a post on the Wine HQ site that looked like it might help.
When I clicked on the link and opened it in a new tab, the browser just hung there. On the bottom in the status bar, it said it was waiting for a doubleclick URL. This was odd to me as the URL I was hitting was winehq.org, and I doubted that a .org would have a doubleclick banner ad. Sure enough, when I checked HijackThis, the nasty had returned.
The *troubling* thing to me was that it returned and affected OTHER browsers. I therefore believe that a) the redirect occurs as the MS system level somewhere, and b) that one of the intents of this baddie is to increase someone's ad hit totals.
Now, the page never came up, and after I cleaned the machine off and found a few more things, I went back to that page to confirm, and there were NO doubleclick ads to be found. Since the doubleclick page didn't respond, I could only assume that it was either being overloaded with traffic or being blocked by doubleclick. If this is true, can anyone contact doubleclick and find out who's paying for the ad that's getting pounded by this?
Also, I cleaned my friend's machine off, and I didn't feel like experimenting with him, so I can't confirm any of this. If anyone else is investigating, I recommend they try hitting google on an infected machine with a browser OTHER than MSIE. Also, a packet sniffer would be able to tell where exactly at doubleclick this thing could be hitting.
One other question: does anyone know yet how/where this hijack is spreading from? I've seen lots of info on how to clean it, but I haven't seen many posts discussing where it comes from and how it gets on a system.
Good work, all...I couldn't have cleaned my friend's machine without your hard work.
Interesting detail about res:// / HSAssistent
No replies to this topic