Wednesday, January 30, 2008

Web Browser Homepage Changed to is a browser hijacker that can redirect Internet Explorer homepage to If your virus scanner or spyware software won’t find the infection and clean it automatically then you can perform the manual method.

1. Disable System Restore

Windows XP instructions

* Right Click on My Computer
* Select the System Restore Tab
* Check the Turn Off System Restore box
* Click Ok.
* A message “This deletes all existing restore points” will appear, click on yes
* Click Ok
* Make sure to turn on System Restore after you complete the removal process

Windows Vista instructions

* Click the Start Button
* Click Control panel
* Double click the System icon
* On the Left of the System properties window you will see a list of Tasks, click on the System protection link
* In the System Protection window remove the check mark from beside all your drives
* A message will now appear asking: 'Are you sure you want to turn System restore off'
* Click the Turn System Restore Off button
* Make sure to turn on System Restore after you complete the removal process

2. Reboot the computer in to Safe Mode with Networking Support

3. Download the Ewido Micro Scanner and perform a scan - Download Now

* It will download the updated Signature Database before scanning
* When the update is completed, disconnect computer from Internet by unplugging your network cable, disabling your network connection or turning off your modem or router
* Click Start scan to begin the scan and let it run
* When finished scanning, click Save Report because this will be used later as a reference when modifying the registry.
* Save the Ewido report on your Desktop
* Click Remove Infection to delete infected files. Do not close the Ewido Micro Scanner

4. Perform a Disk Cleanup

* Click on Start, All Programs, Accessories, System Tools, Disc Cleanup
* Let it scan for files.
* When prompted for files to delete, check all and click Ok
* Click yes to confirm

5. Delete/Modify any values added to the registry

* Click Start and then Run
* Type regedit
* Click Ok
* Navigate to the following key
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
* Delete the values on the right pane that are related to .exe and .dll files detected earlier by the Ewido Scanner. Use Ewido report as reference.
* Delete entries that contain any of these files:

o AVPSrv.exe
o TxoMou.exe
o LotusHlp.exe
o MsIMMs32.exe
o MSPrint32D.exe
o 35691M.exe
o upxdnd.exe
o SvTh.exe
o gjcsczc.exe
o swrcfac.exe
o rarjetl.exe
o sos.exe
o SSLDyn.exe
o cmdbcs.dll
o mszxaab32.dll
o FTCCompress.dll

* Close the registry editor when done.

6. End any processes that shouldn’t be running

* Press Ctrl+Alt+Del
* Click the Process Tab
* End any.exe and .dll processes from the files that were detected earlier by Ewido Scanner if present
* Also end any processes from the malicious files list from above

7. Search for and delete any malicious files

* Click on Start and then Search
* Click all files and folders
* Enter the malicious files filename on the All or part of the filename field.
* Click on Search
* If found, right click on the file and Delete it
* Do the same for all of the malicious files one at a time

8. Delete any hidden and autorun files

* Click on Start and then Run
* Type cmd and click Ok
* A command prompt will appear
* Type cd\ [Press Enter]
* Type dir/ah [Press Enter] (This will display hidden malicious and autorun files)
* There should be two files such as sos.exe and autorun.inf
* Then type “ATTRIB” which will list files with corresponding attributes. Usually files of the Downloader.Agent have an attribute of SHR.
* Type “ATTRIB -S -H -R C:\soS.Exe” (Where filename.exe is the name of the file in the autorun.inf file)
* Type “ATTRIB -S -H -R C:\Autorun.Inf”
* Type “del soS.Exe”
* Type “del Autorun.Inf”
* Type “ATTRIB” again to see if the two files are deleted
* If clean, type “Exit” to close command prompt window

9. Scan again with Ewido

* While Ewido Micro Scanner is still open, click Start a new Scan to perform another scan.
* Delete any infected files found

10. Restore your Internet Explorer default page

* Click on Start then Run and type gpedit.msc and click Ok (Windows XP Pro only- see note)
* Navigate to User Configuration / Administrative Templates / Windows Component / Internet Explorer
* Click “Disable changing home page settings” and set it to Disabled
* Exit Group Policy Editor
* Open Internet Explorer
* Click Tools and then Internet Options
* On the General tab enter the URL of your desired website

If you don’t have Windows XP Pro you can use the registry editor to enable the task manager and change your IE homepage.

Click Start and then Run
Type regedit and click Ok

To Enable Task Manager

* Navigate to the following registry key
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
* Change the value DisableTaskMgr to 0

To Change your IE homepage

* Navigate to the following registry key
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
* Modify the value of Start Page

*Disclaimer - Do the above procedures at your own risk. is not responsible for any damage the procedures may cause to your computer.

source :

1 comment:

Please leave your comments or your promotion links, but don't add HTML links into the comment body, because I consider it as a spam, and will be delete..

Thank you for your visit..