need help with hijacker - adware.websearch

  • Thread starter Thread starter Jud McCranie
  • Start date Start date
J

Jud McCranie

I've picked up a browser hijacker that I can't get rid of. It tries
to go to c:\searchpage.html, which was a file of 0 bytes. I deleted
it. Norton antivirus detected two copies of Asware.websearch. NAV
quarantined the file mshelper.dll. Many of the other instructions for
this hijacker didn't apply (registery stuff and add/remove "search
toolbar").

It removed one copy, but only gave me the option of excluding the
second one.
I also removed it with SpyBot (2 copies), but it keeps coming back.

I know it is resetting
hkey_local_machine\software\microsoft\windows\currentversion\url:

home c:\searchpage.html?page=
mosaic c:\searchpage.html?page=
www c:\searchpage.html?page=

I can delete these but a minute later they are back. Even in safe
mode.

How can I get rid of this thing?

Thanks in advance
 
It removed one copy, but only gave me the option of excluding the
second one.
I also removed it with SpyBot (2 copies), but it keeps coming back.
Click to expand...

I also ran HijackThis, and it showed several lines with
c:\searchpage.html?page=
so I deleted them, but a minute later they came back.
 
It removed one copy,
Click to expand...

Actually, reading the log it failed to delete it.

The file is \windows\system32.mshelper.dll.

I deleted that, but the problem still comes back.
 
I have found that using spybot tends to fix things that adaware misses
and vice versa. I'm sorry I cant be more help.
docfl
 
Then work with the advisors on how to get rid of it. Also, you can
browse through the problems and solutions for others' posts and
perhaps find a solution.
Click to expand...

After about 7 hours of work and following suggestions, I got rid of
it.

Norton anit-virus couldn't delete it. When I tried to delete the file
myself, I couldn't delete it either - it said "access denied". It was
NOT marked read only, system, or hidden. One of the suggestions said
to rename it, do some other things, then it could be deleted.

Can a file that says "access denied" actually be deleted some way?
 
After about 7 hours of work and following suggestions, I got rid of
it.

Norton anit-virus couldn't delete it. When I tried to delete the file
myself, I couldn't delete it either - it said "access denied". It was
NOT marked read only, system, or hidden. One of the suggestions said
to rename it, do some other things, then it could be deleted.

Can a file that says "access denied" actually be deleted some way?
Click to expand...

Files that are in use will be denied access. You need to work in Safe
mode. With Win 9x/Me you can boot up into DOS using your system disk.


Art
http://www.epix.net/~artnpeg
 
Jud,

End the process first if running via the Task Manager, uncheck it from
msconfig/startup if listed, then:

Can't Delete a File or Folder in XP
http://www.kellys-korner-xp.com/xp_d.htm#del

You Cannot Delete a File or a Folder:
http://support.microsoft.com/?id=kb;en-us;Q320081

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308421

Troubleshooting, Removing and/or Cleaning Add or Remove Programs
http://www.kellys-korner-xp.com/xp_a.htm#addremove
 
Jud McCranie said:
Can a file that says "access denied" actually be deleted some way?
Click to expand...

Get Process Explorer from Sysinternals (the version appropriate to
your OS). Locate the task that's implicated, right-click and choose
Properties. That (or a seach for the DLL) identifies the program that
started it. Rename the folder containing said program, or rename the
program itself, and reboot. That often works for me, especially when
the file can't delete it even is Safe mode.

Cheers,
Larry
 
Jud,
Check the ownership of the files, I had to take ownership to delete
them.
Does anyone know what kind of info is sent back to websearch, or why
it downloads so many files?
Good luck.
 
Back
Top