|HJT! is a useful tool, but you have to know what you are doing when you select a line for it to fix (delete the registry entry for). It finds lines that are changed from what is normally found, but most of those lines have nothing to do with malware and are harmless. |
It is best used along with other things or other information, or better still you can upload your HJT! log to a web site that specializes in telling you which lines you need to select (that does NOT include this site) that are associated with malware.
Even if you choose the right lines to delete, that may not get your computer completely back to the way it was before. The malware may very well be gone, or at least disabled, but some of the changes it made may still be there.
There is a lot of this type of malware these days, much of it coming from Russian sources. The problem is no one anti-malware program detects or removes all of them.
In my friend's case he had AVG 8.x and AdAware 2008 and neither found the malware he had when he did a full scan.
Did you make any notes about which highjacking malware you had, such as the sites the icons were directed to, or the site the broswer home page went to?
If you did, you can use the name of the site without the com or whatever to find complete removal instructions on the web, and sometimes, programs that will restore everything back to the way it was.
E.g. I cleaned out one of these hijacker anti-malware thingys a friend had on his computer, about a week ago.
If those do not sound familiar to you, you may need to search using info you have specific to your case
If those DO sound familiar to you....or in any case.....
I found by searching with those names on the web for removal instructions the free version of Malwarebytes removes everything to do with that malware (it found much more that just the lines in HJT!), and using SmitFraudFix after that fixes all the changes it made - if there is more than one User on your computer, all, or only one, or not all, may need to have SmitFraudFix run on their User.
Download them and select your desktop as the location to download to, so that you can execute them easily despite the fact you may not be able to see the contents of C.
Instructions I found said to boot your computer into Safe mode before running either program, so that's what I did.
I was also able to disable the Resident Shield in AVG 8 before running them because it's shortcut icon was on the desktop.
Both make a shortcut icon or folder on your desktop screen once installed.
You must update Malwarebytes before you run it.
I found some info about lines associated with this malware seen in HJT! logs, but it was already out of date, and they were different - they are apparently somewhat randomly generated. I searched with some of the odd file names in lines in my own HJT! log similar to those in the HJT! log they mentioned, and found other info in several places that said Malwarebytes finds both older and newer versions of this malware, and SmitFraudFix fixes the changes it makes.
I selected only two obvious lines for HJT! to fix - one for the homepage highjack that included one of the urls, the other an entry that disabled regedit from being used by the user.
After I ran Malwarebtyes I ran HJT! again - there were four (or more) lines that were there before that were gone, two of which I had no found no info about being associated with the malware, and two that I suspected were but was not sure about.
The free version of Malwarebytes has to be updated manually before you use it - use the full scan. (It doesn't search for tracking cookies - I like that feature.)
In this case, all of the malware components were on C, but if you have more than one hard drive partition, scan all of them.
SmitFraudFix is constantly being updated - make sure you get the latest version.
SmitFraudFix fixes the changes made by many of these things. The above names were not listed, but it fixed the changes it made anyway.
It changes the Home page to the default one for IE for the IE version you have, but that can be easily changed.
Be aware that some anti-malware programs such as AdAware 2008 flag SmitFraudFix.exe (the self extracting download) or SmitFraudFix.exe (the executable made when you extract the download, in a folder it makes) as malware, despite the fact it is not, and they will quarantine and/or delete those it you let it them. If you don't want them to do that, add those files or the folder they are in to an exclude or ignore list for the program.