Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

About:Blank hijacker (Download.trojan) with NTFS based systems(Windows NT, Windows XP, WIndows 2000)

Internet Explorer - Hijacked..

About:Blank hijacker (Download.trojan) with NTFS based systems(Windows NT, Windows XP, WIndows 2000)

by  amen1973  Posted    (Edited  )
Some of the newer hijackers use Alternate Data Stream to hijack a home page on a system formated with NTFS. They will not run on Fat32 systems using this method of hijacking. Most of these hijackers add a value in the registry under
HKey_Local_Machine/Software/Microsoft/Windows NT/CurrentVersion/Windows/Appinit_DLLs

Regedit itself does not show the value of this key, however Registrar Lite does

Download RegLite here:
http://www.resplendence.com/reglite

Install RegLite and navigate to
HKey_Local_Machine/Software/Microsoft/Windows NT/CurrentVersion/Windows
Double Click on Appinit_DLLs key. If there is a value within the key, this is most likely the culprit
Write down the DLL that is found in the value.
It will point to C:\Windows\System32 or C:\Winnt\System32 more than likely (if your root drive is C:)

Ok we know the possible DLL that is causing the Hijacking.

Also Download Hijackthis because we will use it at the end of the process.
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Now we want to boot to the recovery console
Insert your OS CD into the CD drive and then reboot
After it boots from your CD you will have some options
Choose R for Repair to boot into the Recovery Console
It will then ask you which drive you would like to log onto. After you choose, if you have an administrator password enter it now and if you do not just hit enter.

Now you want to navigate to the path the DLL you found within the Appinit_DLLs value which should be windows\system32 or winnt\system32. More than likely the prompt is already C:\Windows or C:\Winnt. To get to the correct path you can type "cd system32" if the prompt already is pointed to the windows root. Now type "dir" to list the files in the directory to see if the hidden dll exists. You can hit space bar to do full page scrolls. If the DLL exists, hit escape when you find it.

nameofdll = the dll you wrote down
Now you will want to type "attrib -r nameofdll.dll"
Now you will want to rename the DLL ( I rename it just incase this DLL was not the bad DLL )
To do this you type "rename nameofdll.dll whatever.dll"
You can name it whatever you want.
Remove the CD from the Drive and then type "Exit"

You will want to boot into Safe Mode now
To do this hit F8 multiple times before the windows Splash Screen. Choose Safe mode when the menu appears.

Now run hijackthis and click Scan. The values we are going to look at begin with R#. R# being R0,R1,R2,R3 and so on. Example R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
Now choose the values that are not related to either your manufacture's site or values you know are legit. Then click "Fix Checked".

Now click start|control panel|Internet Options
In Windows XP if Internet Options are not displayed click Network and Internet Connections
Change your homepage to what you want it to be and click apply and then OK
Now restart your computer

Test to see if the Hijacker is gone by opening your Internet Explorer. If it is gone go to the system32 folder and delete the DLL that you renamed. Open Reglite and navigate back to
HKey_Local_Machine/Software/Microsoft/Windows NT/CurrentVersion/Windows
Double Click Appinit_DLLs and delete the value from the key and hit apply and then click OK on the prompt.

Now run Ad-aware SE and Spybot Search and Destroy

Adaware can be downloaded from:
http://www.lavasoftusa.com/support/download/

Spybot can be downloaded from:
http://www.safer-networking.org/en/download/index.html

I hope this helps
Art





Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top