Wednesday, May 26, 2004

Hijacked III - Cool Web Search
Sorry for the sequels... the hijacker came back. I finally nailed it down though. It was a variant of CWS (coolwebsearch), a very nasty hijacker. It had put an entry in the registry that made a file in the system32 directory invisible... then it was loading this every time explorer loaded.

You can recognize a CWS hijack by running Hijackthis.exe. It will show several entries like:

HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\edjika.dll/sp.html (obfuscated)

Eradicating them in hijackthis only temporarily solves the problem. Very quickly you'll see it back again. If you delete the offending dll, it only recreates it with a new name. (The edjika.dll is a randomly generated name.) The program also disable the running of SpyBlaster software.

After searching on the web I finally came across the final solution, thanks to 'Bulldog' at support.
Download Registrar lite and install it:
Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And hit the "go" tab, and find: "Appint_Dlls" value on the right side

This will tell you the name of the hidden dll causing the problems to return.

You'll see the completely invisible downloader trojan, which you need to get rid of.
It will be listed as: C:\WINDOWS\System32\resehk.dll (this name is variable)

Bulldog writes:
The next steps would make that file visible.

-Rename the Folder Windows to NotWindows highlighted as a purple folder in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value: C:\WINDOWS\System32\resehk.dll -<>resehk.dll in System32 folder but Don't attempt to delete it yet. (Remember to system and hidden files.)

Go to your root drive: C:\ And create new folder, Name it: "junk"

Unzip and run the 'Winfile' you previously downloaded.
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.

When in System32 click top menu: File>Select files
Copy and paste to the box: resehk.dll hit select-
Find and hilite that file. Next in top menu>Security>permissions,
tell us what is listed there for that file. Also check the 'owner' tab

Lastly, try this: Menu -File>move... In From: Copy/paste: C:\WINDOWS\System32\resehk.dll
To: Copy and paste: C:\junk\resehk.dll
And hit ok.

Close Winfile and check in C:\junk for that file.
(Micah adds:) Run hijackthis.exe and clear out the associated links to the other dll.

Reboot, and delete the 'junk folder' along with the other associated dll. Hopefully, this solves the problem. Email/comment me if you need help.