I've just spent the last few days getting rid of this crappy browser hijack that ***** up your start page/ search page and does this eveytime you run your browser. The method i used to delete it is a bit of controlled overkill - but much less overkill than formatting your hard drive or restoring the computer.
My solution builds upon other people's ideas and solutions, ill just list what i did:
Download Adaware from here if you havent already got it.. or use the link from the main page of this site.. and run a scan... once this is completed and you have deleted all the bad objects..
If you have the full version of Adaware you will have the Ad-watch portion.. If you do (which most wont i assume) then run it, and get it to prompt you for any attempts to alter the registry.. Depending on how ****ed your computer is.. each time you run a browser now you may get 6 to 7 attempts to change things.. If you dont have it then dont stress, it just makes things a little easier.
PLEASE NOTE! While this AdWatch is running, you will not be able to change the registry for the better, as well as deleting bad entries.. What i suggest is you kepp it set to NOT automatically block the attempts because Hijackthis (used later) will not be able to work properly..
OK, onto the solution:
1. Bring up the Processes window in Task Manager (CTRL + ALT DELETE) and look at the processes.. You are looking for things like: 'sd*.exe' (The * indicates some random characters) it may not even have sd at the start but it did everytime for me. You might wish to use a process viewer like the one here. in order to make this easier too.
2. Also look for anything else suspicious.. If it looks dodgy then kill it, the reason i say this is because theres no easy way for you to find out if it is or not.. Its likely to be dodgy if its made up of random characters and if you run a browser to find out then that is the catylst for it to infect your computer again.
3. Locate these files in these 2 directories:
What you are looking for are the names of the files you saw in the Processes (But not limited to!)
Depending on how many times you have tried to do this there could but multiple .exe files all with 5 random characters and a .exe extension.. You need to delete every single one of these files for this to work... You will find some in both directories..
The Easiest way i found to do this was to view the directories by 'Detail' - done by right clicking and selecting view --> Detail.... and the rightclicking next to the Last Modified column and adding the column 'Created On'.. This will show you any files that have recently been created.. It is fairly obvious which ones are the culprits.. they are as i said either a string of charactes with a .exe extension or a string of characters with a 32 tagged on the end with the same extension..
The dodgy files with the 32 tagged on the end are the executables that start the carnage.. What i think happens is the exe files that run on startup that you can see in the processes run these files with the 32 tagged on, and this is where the problem is - you can delete the files that run these other exe's but if you dont actually delete the exe's with the 32 tagged on then they in turn create the other exe's....... I have no idea if this is correct but it is surely something along those lines.
The other files that you must delete are the dodgy .dll files... These are the files that contain the HTML code that loads when the hijacker takes over your browser.. You can find them in the same directories as listed above, but most likely just the WINDOWS directory.. If you open them with notepad you will see the HTML in them.. The filename is randomly generated and will match the name in the address bar once hijacked i.e: res://*.dll........ The file name will be where the * is.
My advice is to delete any .dll files and .dat files that have been created in the couple of days since you were infected.. The chances of removing impotant files is slim... Hopefully you dont consider me a cowboy for saying that, but desperate times call for desperate measures... I call it controlled culling of files..
Anything that looks suspicious (i.e random characters .exe or .dll and that have been created in the last couple of days)
4. Once this is done, make sure to delete all the files in your
C:\Documents and Settings\(Your User Name)\ Local Settings\Temp
C:\Documents and Settings\(Your User Name)\Local Settings\Temporary Internet Files
This is just a precaution.
*You may need to be in safe mode in order to do this, because some of these files may rely on processes that are currently running. When in Safe mode, they do not.
5. Delete all the files in the WINDOWS\TEMP directory
and completely delete the folder: C:\WINDOWS\PREFETCH if it exists.
6. Run Hijackthis!!
And delete all the suspect BHO's etc... It is fairly obvious which ones the suspect ones are... Other people have said to run Hijackthis as the first step.. but its not necessary - if you have completed the steps above you should have too many dodgy items in Hijackthis. Once you click Fix, then you will get another prompt from Ad-Watch.. this time look at what it is trying to do.. If it is trying to restore your homepage/searchpage settings, then let it! If you have a lot of dodgy **** still in there, then fix all the problems and start again from instruction 1.
Ok after this is done, i reccomend doing another scan using Ad-aware, Spy-Bot or any other programs including CWShredder that you might have (you can never be too careful)..
I forgot this step:
6. Have a look at the services running, do this my going to the 'run' menu and typing in 'services.msc'
Go down the list and locate 'Network Security Service' - this is another piece of dodgy **** that the hijacker installs.. Notice how it is one of the only items that doesnt have a description.. Any service running that is not sanctioned by Microsoft isnt allowed to have a description i do not think. Right click it, select properties and change its startup type to 'Disabled'.. Now if you dont clean your computer completely of the hijacking files then this will change itself back to Automatic (Sneaky bastard) so remember if the initial instructions fail, then you'll need to do this again.
7. OK, once this is done you should be good to shut down your computer COMPLETELY, as in turn it off.. Then turn it back on and see what happens... What i did was make Ad-Watch run on statup so i knew if there were any attempts to change the registry.. The way to check to see if your computer is hijack free is to run a browser.. If nothing happens, then close it and run it again.. If you can do this three times with no hell breaking loose then you are most likely cured.. If Ad-Watch goes nuts then you'll have to start again and this time be more vigilant with the deletion of .dll's and .exe's. if you didnt use Ad-Watch then either nothing will happen, or you'll be redirected to that godforsaken res://*.dll page and your registry will be once again ****ed.
OK, hopefully that helps some of you.. I understand that my advice is somewhat confusing and probably annoying but i believe for now that it is the only solution.
The reason why this is such a nasty problem to fix is that the hijack creates randomly named .exe files and .dll files in different locations
Ill keep my eye on this post for the next couple of days to answer any questions.. and let me know if any of this helps..
Edited swearing - thats just too much, this is a public forum, knock it off.
Edited by chrisgaltieri, 22 June 2004 - 09:25 AM.