Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Still Hijacked After Ad-Aware and Spybot turn up clean...

Status
Not open for further replies.
onrdbandit

onrdbandit

Programmer
Mar 12, 2003
145
US
Howdy,

On one machine I have a problem with browser hihacking. Ad-aware and spybot turn up clean, but the browser homepage keeps being reset to res://ohnos.dll.

I did a google search on the ohnos.dll file and found nothing. I was just wondering if anyone else knows of a solution to this one...

Thanks,
onrdbanidt

No! Try not. Do, or do not. There is no try. - Yoda
 
Sort by date Sort by votes
Download and run HijackThis, then use the information in FAQ760-4897 to remove the hijacks.

John
 
Upvote 0 Downvote
I've noticed in the past few weeks that the names of the malware .dll's and .exe's have been randomized, thus rendering google useless for that leg of cleanup.

Look at your processes when you boot up, and see if any are out of place (the idea being that there has got to be a .dll or .exe that's putting the entry back in the registry after you delete it). Try to pin down the process that, after you kill it, either:

a) Stops the entry from coming back after you delete it

or

b) Refuses to be killed, even though you know it's not a vital system process.

After you find the executable that replaces the entry and delete it (prolly in safe mode), fix the registry entry.

SELECT user
FROM users
WHERE common_sense IS EQUAL TO NULL;

-Shrubble
 
Upvote 0 Downvote
Thanks fellas...

I got the problem fixed. I was just wondering if anyone knew where these files came from:

System32\appie.exe (maybe it was "ei" instead, but I cant remember)
System32\winqv.exe
System32\sysfc.exe

there were a few more I cant remember. They were referenced in HijackThis, had hidden and system attributes, and were all either 25k or 9k. I deleted them and the registry references and problem solved...

Does anyone know where those files originate?

Just curious.

Thanks again guys.

No! Try not. Do, or do not. There is no try. - Yoda
 
Upvote 0 Downvote
Probably a coolwebsearch variant.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
473
2ffat
2ffat
2ffat
  • Locked
  • News
CNET/Download.com have cleaned up their act! 4
Replies
5
Views
429
kjv1611
kjv1611
javierdlm001
  • Locked
  • Question
"Win32.Downloader.gen" found as Malware by Spybot
Replies
3
Views
360
2ffat
2ffat
2ffat
  • Locked
  • News
Police: Do as we say and not as we do! 1
Replies
4
Views
264
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
487
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top