I have been hijacked by something that resets my home page to this:

res://rcuib.dll/index.html#96676

I have an up to date virus checker (which found and removed Dropper.Inor.) I remove the dll that the home page points to but it is regenerated, I think by files that have names like apity.exe and ntcs32.exe in the WINNT and WINNT\System32 directories. Obviously something is generating these files but I can't trace it. Any ideas?

Robin

If I were you, I would get SpyBot Search And Destroy, and Ad-Aware 6

They are both Free award winning programs.

But GET BOTH IF I WERE YOU.

[Ad-aware is better in the sense that it finds more things and is updated alot more often] But Spybot is able to find a few things that Ad-aware Cant also. So, Get those 2 programs, and Update them. Be sure to customize Ad-Aware's Scanning settings to make sure it scans everything possible.

I would suggest scanning with Ad-Aware First, then find those extra few registry keys that Ad-aware couldnt detect, with SpyBot.

Also, A VERY good program is SpySweeper.

That has ALOT of definitions.

___--SamZee--___

Robin, did you figure anything out with this? i have a very similar problem, with my homepage being reset to a "res" page also. i have tried ad aware, spybot, and spysweeper, all with no success. just curious if you found anything that worked. thanks, rob

I am having the same exact problem with my homepage being hijacked whenever I open it. It gets changed to:

res://rjusa.dll/index.html#96676

PLEASE! Can anyone help out there?

Ive tried Ad-Aware, Spybot, Spysweeper, Hijackthis but none of them seem to help!!!

I am having the same issue. This one is a tough sucker!! This site gives some info but it didnt work for me, maybe it will work for you.
http://pchell.com/support/lookfor.shtml

Let me know if you find a solution.

See the following URL for information on this browser hijack. Apparently, it's so new that none of the tools out there (Ad-Aware, SpyBot, et al) can't detect, much less remove it. My advice, grit your teeth and wait for the tools to catch up, and get to windowsupdate.microsoft.com REGULARLY and install the required and recommended updates you find there.

For more info on this hijack, brought to you by the folks at CoolWebSearch, see the following URL:

http://www.spywareinfo.com/~merijn/index.html

Finally, a tool called CWSweeper @ the site above ALSO does not yet have a fix, but as you can see from the June 18th post by the site owner himself, he's working on and update to CWSweeper, which will remove this thing.

Same thing is happening to me. If only I could find the damn thing that is regenerating the .dll file (sorry for the language). I'll post if I have any luck.

Robert K.

I have found that by using the Spybot Residence program Tea Timer you can stop if from adding itself. I have had no luck thou finding out where is it comeing from...

It keeps trying to add the BHO

{1B7868F3-747F-F324-23F0-1A3EC3D2C170}

which generates the random red://***.dll thingy. To use the tea timer go to advanced mode and then tools and Residence then activate. You have to hit deny (do not set to auto it does not work). It pops up a lot but its a lot better then having to change your homepage very 2 mins. Also if it does happen to add in the tools section it shows all your BHO's and you can delete any that don't have a green checkmark (my recommendation).

/\/\30\/\/

Well i think this might be the ultimate fix for a lot of things! It sure worked for this and my home search assistant problem!

Orginially posted by:

Name: atomicdog420
Date: June 16, 2004 at 20:00:00 Pacific
Subject: Home Search Assistent

Reply:
i believe i have defeated the 'home search ass-is-tent'. after a great battle. this is put together thru parts of other ideas from all over the web i found that what it does is replicate itself everytime you delete the infected files. what you need to do:
1. ctrl alt delete and kill all processes that look dodgy. mine was called 'ntee2' but it could be any 5 random letters. kill any that you see.
2. from the start menu, select run and type 'services.msc' find the 'Network Securtiy Service' and from properties set it too disable. this is the little bugger that keeps replicating the files.

3. in the windows explorer go to c:\windows delete all of the random 5 letter named files they will be dll,exe, and dat files. the dats are about 89 k. the easiest way is to view details click on modify and select created. then you can see when the files were made. repeat the process in the c:\windows\system32 folder. (here i just sorta got anything that was named even remotely suspicious that was created in the last few days. you need to be sure to get all the bad files or you'll have to repeat the process).

4. delete all files in the
C:\Documents and Settings\(Your User Name)\ Local Settings\Temp
and
C:\Documents and Settings\(Your User Name)\Local Settings\Temporary Internet Files
and
WINDOWS\TEMP
also if you have the folder C:\WINDOWS\PREFETCH completely remove it.

5. run hijackthis and get rid of all the crappy BHO's and all other references to the bad homepage.

6. run regedit and search for 'home' delete all the values/folders associated with the 'home search ass-is-tent'

7. completely turn off and back on your system and then run hijack this. all the dodgy enteries should be gone and the home search assistent should be gone from the add remove programs.

if this doesn't work try repeating from step 1 and making sure to delete all the dll,dat,and exe files.

let me know if this helps

***I would thank him very much

/\/\30\/\/

I have been helping a friend with a similar problem - their home defaults to res://qqzhn.dll/index.html#2276 and, even with a pop up stopper, they get these "Only the Best" pop ups. It also adds x-rated favorites. (his family bought a Dell -- I was in tech support for 3 years and get to fix it every time they get a virus, or anything!) Ugh, enough complaining.

I see the detailed Response #8 by BuGS to clean things up but I was about to suggest to my friend it's time to call Dell and reformat/build. Will that clear things up? It's not possible for me to be their on-call support person and I don't think they have the skills/diligence to perform the clean-up, regular updates and continued maintenance.

Looking forward to any/all replies.

Also, did my friends get this b/c they actually clicked on/into one of the pop ups to get this problem? They say they never go to them, but they are always running into these kinds of problems.

Thanks in advance.

E

I did the process which bugs described and i noticed that it seems that most of the exe files which need to be deleted are either 9,19 or 29k. Just an observation hopefully it is correct can anyone verify

I have this little sucker too. I have also seen about 5 other computers with it. I hav tried EVERYTHING suggested in these colums and more without any success.

The one additional observation I have made that one thinks one has cleared it OK and after opening a new website site then closing the browser (IE6) , it come back.

I am still to verify this conclusively but I think it happens specifically when opening and closing the ORIGINAL homepage

Since my last comments - I found this. It solved my problems and thanks to the person who posted this elsewhere:

http://www.security-forums.com/forum/viewtopic.php?t=15202&postdays=0&postorder=asc&start=15

To delete the Legacy Root entry, right click it and assign administrator rights to it. It has system rights only.

Yes, that is indeed the solution. I solved this problem the same day I posted a reply (see above), but I couldn't find this forum afterward.

Robert K.

Hi,
I struggled whith the problem all weekend. Finnally, I got rid of it by using http://hsremove.baravehost.com

Try it, it worked for me!

Sorry, the correct adress is :

http://hsremove.bravehost.com

I downloaded and ran the hsremove.exe

just in case IE try this ;-):
http://www.hsremove.bravehost.com

or u will get a message:
"Bravehost.com - Web Site Under Construction
The owner of this domain has not yet uploaded their web site. Please check back later!
Use your Back button to return to the page you were at previously"

hon and Templar, thanks for the solution! I'm still getting pop-ups though :-/

Well, I lied. It didn't work. The tool ran and reset the webpage. However, after I closed and reopened IE, the stupid five-letter .dll was back.

I've noticed that whenever the browser opens, the first pop-up briefly says www.search-all-fast.com

I'm at a loss. I tried following the other directions posted above, but I don't feel comfortable messing around in the computer.

help. i'm having the same problem. i tried everything i could...and the page still keeps coming back.

i've tried hijackthis and it still didn't work. i'm really, REALLLLLLY tired of this crap.

any help is appreciated. *sigh*

Hail.

A lot of these hijackers install a registry entry, which have to be manually removed. You should check with your spyware or antivirus website for removal instructions. Also check the Microsoft website and search for the virus name. They may have a removal tool.
If you get some of the spyware programs, like spybot s&d (make sure you have the current version. get it from majorgeeks) or spyware blaster, they will lock your home page and other settings so that a hijacker won't be able to change them. You will then be alerted when this program does try to change it, and you can identify it from what they tell you. AdAware is also good. Spyware Blaster prevents spyware from getting on your computer in the first place. It also requires frequent updating, but it's painless. Some other sites to check out.

http://www.doxdesk.com
http://www.spywareinfo.com/
http://www.cexx.org/adware.htm
also check out cdt.org. They're an organization that is trying to stop this kind of stuff.

Good luck

I had this on a customer's computer and finally managed to remove it manually. I have seen on other threads that the DLL involved is actually remade by iexplorer.exe, so it was assumed that IE was somehow infected. It is actually an explorer bar setting that does it. To get rid of it, you need to kill all processes that are not needed to run. Then run HijackThis! and remove everything suspicious. Restart the computer and open Internet Explorer, then close it as soon as the hijacked page comes up again. All this is just to see what files come back. There may also be a new service running with no description. I am not sure whether it is with this software or something else, but it will be a process in task manager that cannot be killed. The service had the same name as the process. Find it, stop it and disable it, then, just for good measure, find and delete the file.

Next, close all programs not necessary to run again, but pay attention to anything you don't recognise and write it down. I had two files, msug32.exe and msjx32.exe which were loading, but were not listed in HijackThis! It is important that you find any strange files running which are not listed in HijackThis! Once you have all the file names and you are sure that you have the correct ones (check the date. They will have been created within the last few days) and after you have killed ALL processes not necessary to make the computer run and after you have written down the names of the suspect processes you killed, run HijackThis! again. Write down the file names of anything which has come back. Remove the entries again. Use the registry editor to search for and remove any entries relating to these file names. Also, find and delete the files from the computer. One place you will find an entry is HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXPLORER BAR\ Under there will be several keys with numbers which look something like this one -> C4EE31F3-4768-11D2-BE Under one of those keys you will find a key called 000 Under that key, you will find one of the file names for one of your stealthy EXE files; the one that rebuilds the DLL. The two files that are running in the task manager that are not showing in HijackThis! are hidden files and may or may not be visible from Windows Explorer, but will not be located when you do a search, even if you are searching system and hidden files. They are in the Windows and System32 directories and can be found in the command prompt by typing dir filename /a When you find them, type attrib -s -h -r filename, then del filename After all this, reboot, open IE, reset your home page, then close IE and double check your HijackThis! log. This is not something you should try if you are not an expert.

I am at work and have been working on writing all this down off and on through the last hour or so. It is, to the best of my memory, everything I had to do to kill this thing and, so far, it has not come back through several reboots and some random web surfing and Google searches. Good luck!