Ok here is the problem, my homepage keeps being set to the following

res://rqyxb.dll/index.html#96676

Ive tried everything - from editing the registry keys to using hijackthis to ad-aware

Nothing removes this stupid thing. It keeps recreating the DLL after deletion and somehow attaches itself to IE

Any ideas how to remove this stupid thing :mad:

Well, use Spybot and then use msconfig to see if anything bad is starting at boot, and try another browser! I havent used IE since it started having problems with malicious code 2 years ago. Mozilla Firebird is great, and so is Opera.

Spybot Search and Destroy (http://www.safer-networking.org/index.php?page=download)
Webroot Spy Sweeper (http://www.webroot.com/wb/products/spysweeper/index.php)
Spy Cleaner (http://www.topdownloads.net/software/browse.php?category=243)
I've found that none of these get them all, but all 4 (Ad-Aware) has gotten everything so far. Hope this helped!

msconfig startup looks clean, running spybot now...hopefully this works....
Im not a big fan of IE either but I just reformatted and was just browsing the web....geez....more holes than swiss cheese :p

more holes than swiss cheese :p

naw, IE is more like a sponge. It absorbs all the germs on this here intarweb. :D

yea thanks, just started tweaking my fresh install and this stupid thing sets me back.

well while I wait, time to look for some tweaks to squeeze some more peformance out of my 9800Pro :p

download and run cws shredder.

pretty sure it will find something, but it will come back. let us know what happens and I will post more info later.

ok ran 3 or so SpyWare removers....all detected stuff and removed...but problem is still there after reboot......kinda lost now....there has to be something recreating that dll file

try an application called "hijack this"

I told you about the disadvantages about looking at porn. j/k :p

No really, Spybot S&E works everytime when I get that shit.

I told you about the disadvantages about looking at porn. j/k :p

No really, Spybot S&E works everytime when I get that shit.


Not anymore. i spend more and more time everyday manually removing spyware/adware that both programs can't find/remove. They are becomming more ineffective every day.

Ahh, the joys of Linux :p

ok ran 3 or so SpyWare removers....all detected stuff and removed...but problem is still there after reboot......kinda lost now....there has to be something recreating that dll file

which 3? did you run CWS shredder? what did it find?

I agree, use CWShredder (http://www.spywareinfo.com/~merijn/files/CWShredder.exe) - I'll be surprised if that doesn't solve your problem

Oh trust me, it won't I have the same problem. There has yet to be a fix.

I agree, use CWShredder (http://www.spywareinfo.com/~merijn/files/CWShredder.exe) - I'll be surprised if that doesn't solve your problem


Yep...Had the same issue with "About Blank" and Search For . . . here at work. Both of them removed with CWShred! Great program, def another to add to your collection.

Can we cut the "blah blah use something else" remarks? They are 1) not helpful as an answer, 2) the worst kind of "band-aid" (ignoring the problem), and 3) only useful because of the fact that their user bases are so small compared to the Win/IE combo that the makers of spyware/malware don't give a shit about them yet. There have been actuall proofs of concepts on Mac/Safari combos, which means (if anyone can follow logic) that it can be done on a *nix (or unix-like) OS if someone is so inclined. There has been a recent patch for OS X because one of the proofs made it out into the wild. Considering Macs have only a fraction of market presence compared to Win (and more than double that of Linux), this is significant enough to prove that eventually, there will be no adequate software for avoiding spyware/malware. Doing the "use firefox" or "run Linux" lines are not going to be sufficiently helpful, and only starting to read like "I don't know a damn thing about avoiding or fighting malware, so I hide my head in the sand" kinds of answers.

Now, this problem doesn't sound like a simple spyware issue, both on this thread and the other one. Has there been any other software installed on the machine that could possibly have helped open the door for this? Freeware tends to be rife with these such things.

The HKLM/soft/microsoft/windows/currrentversion/run thing is becoming old hat for malware nowdays, because they are now beginning to try to put themselves in less blatant places in order to be run. This is why HijackThis and similar programs are not finding them.

Boot into safe mode, run regedit, then do a search (ctrl+F) with HKLM highlighted. Search for that DLL name as a string anywhere within your HKLM, HKCU, HKU, and HKCC sections separately from each other. You may also want to try to search for that whole string (the res://wonky.dll/whatever) as a complete key as well. Also, any other pages it loads (fastclick.doubleclick.whatever.com) might be searchable in the reg, as well. No guarantees on that one, though.

Make sure you check your start>>All Programs>>Startup folder for anything

While you're at it, run your favorite spyware removal programs in safe mode as well. Also run them as every user on the machine (because they can only seek out things for the user logged in, even for Administrator).

After you do this, you may still have something popping up. If you want to stop any advert sites from popping up randomly, you can always block their domain through the hosts file, and since fastclick, mediaclick, and doubleclick are the most infamous for these browser hijacks, you would stand a good chance of cutting off the worst offenders by adding at least these three domains.

Let me put together this list of things I've been compiling from searching various browser security sites, and then I'll post it in here and possibly on another thread. Hang tight and try out those I mentioned already, but I don't expect it to be conclusive. From what I can tell, there are possibly two exe files and a service that is loading that mitigates this hijack, which would explain why no spyware program can get rid of it.

More on this in a bit.

Can we cut the "blah blah use something else" remarks? They are 1) not helpful as an answer, 2) the worst kind of "band-aid" (ignoring the problem), and 3) only useful because of the fact that their user bases are so small compared to the Win/IE combo that the makers of spyware/malware don't give a shit about them yet.

I fully agree.
If you're going to reply with "Just use ___(insert random browser name here) because IE sux0r0z.", you aren't contributing any technical information, and thus not helping. If you want to gush about how Über1337 your browser is, post on their boards instead. :rolleyes:

you guys can't use google?? I found this in 5 minutes...

http://www.spywareinfo.com/forums/index.php?showtopic=43492&st=30&#entry219322

Updated Solution, people were having problems deleting the .dll file from safe mode/Command Prompt Only

Download reglite
install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
Rename the windows folder back to its original name "Windows".
Run SpyBot, Ad-Aware and CWShredder
Check the following three links for instructions on downloading and running the applications listed:
How to use Spybot to remove Spyware
How to use Ad-Aware to remove Spyware
How to Remove CoolWebSearch with CoolWeb Shredder
Next step will be to remove this dll file so make sure you have it noted down.
If you do not have a boot disk you can get access to one for a variety of platforms here Bootdisk.com
Insert relevant boot disk and restart:
Windows 95 - ME, insert your boot disk in the floppy drive

Windows xp - insert your cd-rom, press any key when promted and wait for it to load then Press R to enter the recovery console.
I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
Type del "nameofdll".dll
Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.

Restart computer in safe mode (How do I boot into "Safe" mode?) and run the 3 ad-removal programs again, just to make sure all traces are gone.
Boot up pc as normal and you should be trouble free.

The HKLM/soft/microsoft/windows/currrentversion/run thing is becoming old hat for malware nowdays, because they are now beginning to try to put themselves in less blatant places in order to be run. This is why HijackThis and similar programs are not finding them. Good Point!

yup. however, if this guy had of run cws like i said, sure it would have come back. but i would have known what he had, and instructed the next step. this trojan is re-installed by the ntldr.exe file which can be found in the startup section of msconfig. I didn't want to post this right away, coz a lot of people might get snap happy and go deleting things they shouldn't. but hey, all i can do is try...

Good Point!

yup. however, if this guy had of run cws like i said, sure it would have come back. but i would have known what he had, and instructed the next step. this trojan is re-installed by the ntldr.exe file which can be found in the startup section of msconfig. I didn't want to post this right away, coz a lot of people might get snap happy and go deleting things they shouldn't. but hey, all i can do is try...
Never hurts to lay out the next step, if people can't follow instructions, who cares if they blow up their rig.

thanks for the posts guys, first time in a few days Im able to actually get on my computer.
I will try the above things to see if they work. I'll let you know how it turns out

The http link looks similar to one that I saw while working on a PC the other day. Ran spybot and did a manual search but it coming back. Took a look at the processes running and there were .exe's that I didn't recognize. Turns out that the PC had a Trojan running on it and that was the cause of the IE hijack. You may want to do a all-file manual scan.

FYI,

I just spent about 5 hours cleaning up spyware on a machine here at work, was massivly infected. I ran Ad-aware, found about 150 items, rebooted did it's boot scan, found 0. But the spyware was still there. Ran CWS shredder, found one instance, removed it. Ran Spy Sweeper, it found 220 items. I Ran Spybot and it found another 12 or so items.


Conclusions:

1.Ad-aware isn't cutting the mustard, it missed TONS of crap. Spy sweeper seemed to do a much better job and removed the spyware Ad-aware missed. I'm considering using Spy Sweeper as my first line defense (in cleaning).

2. It takes multiple programs to effectivly removing spyware, don't just run a single scanner.

3. Spyware is now breaking systems, causing extra repair above and beyond spyware removal. In this case I couldn't add certian toolbars (quick launch and desktop) to the start bar. The quick launch toolbar was already setup, the spyware removed it from the start menu, and we cound't add it (windows title: toolbar, error: cannot create toolbar). There were lots of 'fixes' for this on the web, but none worked. Basically the quick launch toolbar is a folder and a reg. entry, both were there and all permissions and properties of these matched working systems, recreating them didn't work. I had to do a repair reinstall over the top of the existing load to resolve the problem (likely a corrupt/bad .dll).

I have also seen Spyware kill the network stack, so no network, and crash explorer.exe.

pheonix, you might want to put the link for Spy Sweeper in the sticky thread.

as advanced as spy/malware is getting, it only makes sense to have multiple programs to secure themselves. the sticky is a thread to inform users about softwares as well as where to get them.

Done,

Here's one for this thread too (d'oh!).

Spy Sweeper (http://www.webroot.com/wb/products/spysweeper/index.php)

Don't forget running these:

http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

http://www.misec.net/